Systems and methods for scalable-factor authentication

ABSTRACT

Authentication systems and methods can selectively authenticate a request to access a resource data store storing access rights associated with a user device. The systems and methods can scalably execute challenges workflows as part of the authentication process. For example, a request to access one or more access rights stored in the data store can be received from the user device. The user device can be authenticated using challenge workflows selected based on a device identifier of the user device. The selected challenge workflows can be executed to determine whether or not to grant access to the access rights stored in the resource data store.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority benefit to U.S. ProvisionalApplication No. 62/263,290, filed Dec. 4, 2015, and entitled “SYSTEMSAND METHODS FOR SCALABLE-FACTOR AUTHENTICATION,” the disclosure of whichis hereby incorporated by reference in its entirety for all purposes.

TECHNICAL FIELD

The present disclosure relates generally to multi-factor authentication.More specifically, the present disclosure relates to systems and methodsfor scalable authentication of access to resource data using workflows.

BACKGROUND

Accessibility to digital information has become increasingly easy forusers. For example, users can access content from anywhere via theirmobile devices as long as an Internet connection exists. However,unauthorized access to digital information has also increased.Unauthorized devices can gain access to and interact with a user'ssecured information. Current authentication techniques are burdensome toauthorized users. Further, these authentication tools do not easilydifferentiate between authorized and unauthorized devices.

SUMMARY

In some embodiments, a computer-implemented method for scalableauthentication of access to resource data using challenge workflows isprovided. A first communication can be received from a user device. Forexample, the first communication can correspond to a request for accessto one or more access rights assigned to the user device. The one ormore access rights can be included in a plurality of access rightsstored in a resource data store. Further, a device identifier of theuser device can be extracted from the first communication. For example,the device identifier can characterize an attribute of the user device.A set of challenge workflows can be accessed. In some cases, eachchallenge workflow of the set of challenge workflows can include aprocess that is performed to authenticate user devices requesting accessto the resource data store. A parameter for each challenge workflow ofthe set of challenge workflows can be generated. The generation of theparameter for each challenge workflow can be based on the deviceidentifier of the user device. For example, the generation of theparameter can include applying a defined rule to the device identifierto generate the parameter. A subset of challenge workflows can beselected from the set of challenge workflows. The selection of thesubset can be performed using a comparison of each parameter and athreshold condition. For example, the parameters (and the associatedchallenge workflows) that meet or exceed the threshold condition can beselected as the subset, whereas, the parameters (and the associatedchallenge workflows) that do not meet or exceed the threshold conditionare not selected as the subset. Each challenge workflow of the subset ofchallenge workflows can be executed. The execution of a challengeworkflow from the subset can include performing an authentication testto be satisfied before access to the one or more access rights isgranted. One or more second communications can be received. For example,each of the one or more second communications can be a response to anauthentication test associated with execution of a challenge workflow(of the subset). For each challenge workflow of the subset of challengeworkflows, it can be determined whether the corresponding secondcommunication satisfies the associated authentication test. Acommunication link can be established between the user device and theresource data store to grant access to the one or more access rightswhen the corresponding authentication test for each challenge workflowof the subset of challenge workflows is satisfied.

In some embodiments, a system for scalable authentication of access toresource data using challenge workflows is provided. The system caninclude one or more data processors, and a non-transitorycomputer-readable storage medium containing instructions which, whenexecuted on the one or more data processors, cause the one or more dataprocessors to perform one or more actions of one or more methodsdisclosed herein.

In some embodiments, a computer-program product tangibly embodied in anon-transitory machine-readable storage medium is provided. Thecomputer-program product includes instructions configured to cause oneor more data processors to perform actions of one or more methodsdisclosed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

The specification makes reference to the following appended figures, inwhich use of like reference numerals in different figures is intended toillustrate like or analogous components.

FIG. 1 depicts a block diagram of an embodiment of a resourceaccess-facilitating interaction system;

FIG. 2 shows an illustration of hardware and network connections of aresource access-facilitating interaction system according to anembodiment of the invention;

FIG. 3 shows an illustration of a communication exchange betweencomponents involved in a resource access-facilitating interaction systemaccording to an embodiment of the invention;

FIG. 4 illustrates example components of a device;

FIG. 5 illustrates example components of resource access coordinatormodule;

FIG. 6 illustrates a flowchart of an embodiment of a process forassigning access rights for resources;

FIGS. 7A and 7B show embodiments of site systems in relations to mobiledevices;

FIG. 8 shows a block diagram of user device according to an embodiment;

FIG. 9 illustrates sample components of an embodiment of site system180, including connections to a NAS and access management system;

FIG. 10 is a block diagram illustrating another embodiment of a resourceaccess-facilitating interaction system;

FIG. 11 is a block diagram illustrating another embodiment of a resourceaccess-facilitating interaction system;

FIG. 12 is a swim lane diagram illustrating a multi-factorauthentication process, according to an embodiment;

FIG. 13 is a swim lane diagram illustrating a multi-factorauthentication process according to another embodiment;

FIG. 14 is a block diagram of a challenge workflow scaling systemaccording to an embodiment;

FIG. 15 is a block diagram illustrating an example of determining a userfootprint for scaling challenge workflows according to an embodiment;

FIG. 16 is a flowchart illustrating a process for multi-factorauthentication according to an embodiment; and

FIG. 17 is a flowchart illustrating a process for scaling challengeworkflows according to an embodiment.

In the appended figures, similar components and/or features can have thesame reference label. Further, various components of the same type canbe distinguished by following the reference label by a dash and a secondlabel that distinguishes among the similar components. If only the firstreference label is used in the specification, the description isapplicable to any one of the similar components having the same firstreference label irrespective of the second reference label.

DETAILED DESCRIPTION

Certain aspects and features of the present disclosure relate todevices, systems, and methods for scalably authenticating requests foraccessing digital information (e.g., stored access rights) usingchallenge workflows (e.g., factors, authentication tests, etc.). Arequest to access a resource data store that stores one or more accessrights to a resource can be received from a user device. The user devicetransmitting the request can selectively be authenticated in a scalablemanner using one or more challenge workflows (used interchangeably with“factors”). In addition, the number and type of challenge workflows thatare executed as part of the authentication process can be determinedbased on a type of user device that transmitted the request (e.g.,laptop, smartphone, server, etc.), information included in the request(e.g., a type of request, information associated with the stored one ormore access rights, an Internet Protocol (IP) address associated withthe request, a geographical location of the user device, etc.), orinformation related to the one or more access rights that the userdevice requested to access. In some examples, the request to access theresource data store can correspond to a request to reassign the accessright to another user, to perform a printing operation to print aphysical representation of the access right, and the like.

The ensuing description provides preferred exemplary embodiment(s) onlyand is not intended to limit the scope, applicability or configurationof the disclosure. Rather, the ensuing description of the preferredexemplary embodiment(s) will provide those skilled in the art with anenabling description for implementing a preferred exemplary embodiment.It is understood that various changes can be made in the function andarrangement of elements without departing from the spirit and scope asset forth in the appended claims.

FIG. 1 depicts a block diagram of an embodiment of a resource managementsystem 100, according to an embodiment of the present disclosure. Mobiledevice 110 (which can be operated by a user 105) and an event-providerdevice 120 (which can be operated, controlled, or used by an eventprovider 115) can communicate with an access management system 185directly or via another system (e.g., via an intermediate system 150).Mobile device 110 may transmit data to access point 145, which isconnected to network 155, over communication channel 140 using antennae135. While FIG. 1 illustrates mobile device 110 communicating withaccess point 145 using a wireless connection (e.g., communicationchannel 140), in some embodiments, mobile device 110 may alsocommunicate with access point 145 using a wired connection (e.g., anEthernet connection). Mobile device 110 can also communicate with one ormore client devices, such as a client agent device 170 operated by aclient agent 175, a client register 160 or a client point device 165using a wired or wireless connection. In addition, using the accessmanagement system 185, an event provider 115 can identify an event, aparameter of attending the event, a date or dates of the event, alocation or locations of the event, etc. Each inter-system communicationcan occur over one or more networks 155 and can facilitate transmissionof a variety of types of data. It will be understood that, although onlyone of various systems, devices, entities and network are shown, theresource management system 100 can be extended to include multiple ofany given system(s), device(s), entity(ies), and/or networks.

Access management system 185 can be configured to manage a dynamic setof access rights to one or more resources. More specifically, accessmanagement system 185 can track which resources are to be made availableto users, specifications of the resources and times at which they willbe available. Access management system 185 can also allocate accessrights for resources and facilitate transmissions of notifications ofthe available rights to a set of user devices. For example, accessmanagement system 185 can alert users of the availability via a website,app page or email. As another example, access management system cantransmit data about access rights and resources to one or moreintermediate systems 150, which can facilitate distribution ofaccess-right availability and processing of requests for such rights.

Notifications of available access rights can be accompanied by optionsto request that one or more access rights be assigned to a user.Therefore, user 105 can provide input to mobile device 110 via aninterface to request such assignment and provide other pertinentinformation. Intermediate system 150 and/or access management system 185can process the request to ensure that the requested access right(s)remain available and that all required information has been receivedand, in some instances, verified. Thereafter, access management system185 can assign one or more access rights to the user, e.g., matching theaccess rights requested by the user.

Assigning an access right can include, for example, associating anidentifier of the right with an identifier of a user, changing a statusof the right from available to assigned, facilitating a cease innotifications that the access right is available, generating anaccess-enabling code to use such that the corresponding access will bepermitted and/or generating a notification to be received at mobiledevice 110 confirming the assignment and/or including data required forcorresponding access to be permitted.

In some instances, a resource is at least partly controlled, by aclient. The resource may be accessed at a particular location orstructure, and a variety of client devices may be present at thelocation so as to facilitate usage of an access right. Exemplary clientdevices can include client agent device 170, which can be one operatedby a client agent 175 (e.g., a human client agent), a client register160 (e.g., which can operate independently of an agent and/or can beconnected to or include a device that, while in a locked mode, canimpede resource access, such as a turnstile) and client point device 165(e.g., which can operate independently of an agent and/or can bepositioned at or around the resource-associated location. For example,in some instances client agent device 170 can be operated by an agent ata location for a resource that is an event (“event resource”) takingplace at the location. In this example, client agent device 170 is usedby an agent that is manning an entrance to the location (e.g., which caninclude, for example, a location of a structure or a geographic region)or a part thereof; client register 160 can be or can be connected to aturnstile, gate or lockable door that is positioned along a perimeter orentrance to a resource-associated location or part thereof; and clientpoint device 165 can be an electronic device positioned at or within aresource-associated location.

In some instances, mobile device 110 performs particular functions upondetecting a client device and/or the contrary. For example, mobiledevice 110 may locally retrieve or request (e.g., from an externalsource) an access-enabling code. The access-enabling code can betransmitted to the client device or a remote server (e.g., a serverhosting access management system 185) for evaluation and/or can belocally evaluated. The evaluation can include, for example, confirmingthat the access-enabling code has a particular characteristic or format(e.g., generally or one characteristic corresponding to a particularresource or type of access), matches one in an access-enabling code datastore and/or has not been previously redeemed. A result of theevaluation can be locally displayed at an evaluating device, can controla device component (e.g., a physical access control module), and/or canbe transmitted to another device, such as mobile device 110.

In some instances, user 105 can use multiple mobile devices 110 toperform various operations (e.g., using one device to request an accessright and another to interact with client devices). Some instances ofmobile device 110, access management system 185, intermediate system150, client agent device 170, client register 160 and/or client pointdevice 165 can include a portable electronic device (e.g., a smartphone, tablet, laptop computer or smart wearable device) or anon-portable electronic device (e.g., one or more desktop computers,servers and/or processors).

In exemplary embodiments, access rights can be represented in datamaintained at a client device or at access management system 185. Forexample, a database or data store include a list of identifiers for eachuser or user device having an assigned access right for a resource orassociating an identifier for each user or user device with anidentifier of a particular access right. In some instances, indicia canbe transmitted to a user device that indicates that an access right isavailed. In various instances, it may be permitted or prohibited for theindicia to be transferred. The indicia may be provided as part of anelectronic or physical object (e.g., a right to access an event) orindependently. The indicia may include an access-enabling code.

In some instances, access management system 185 communicates with one ormore intermediate systems 150, each of which may be controlled by adifferent entity as compared to an entity controlling access managementsystem 185. For example, access management system 185 may assign accessrights to intermediate systems 150 (e.g., upon acceptance of terms).Intermediate system 150 can then collect data pertaining to the assignedaccess rights and/or a corresponding event, can format and/or edit thedata, generate a notification of availability of the access rights thatincludes the formatted and/or edited data and facilitate presentation ofthe notification at a mobile device 110. When intermediate system 150receives a communication from the mobile device 110 indicative of anaccess-right request, intermediate system 150 can facilitate assignment(or reassignment) of an access right to the user (e.g., by transmittingrelevant information to access management system 185 identifying theuser and/or user device and/or by transmitting relevant information tomobile device 110 pertaining to the access right).

A resource can include one managed or provided by a client, such as aperforming entity or an entity operating a venue. A mobile device 110can transmit data corresponding to the access right (e.g., anaccess-enabling code) to a client device upon, for example, detectingthe client device, detecting that a location of the mobile device 110 iswithin a prescribed geographical region, or detecting particular input.The receiving client device may include, for example, a client agentdevice 170 operated at an entrance of a defined geographical location ora client register 160 that includes or is attached to a lockingturnstile. The client device can then analyze the code to confirm itsvalidity and applicability for a particular resource and/or access type,and admittance to the event can be accordingly permitted. For example, aturnstile may change from a locked to an unlocked mode upon confirmationof the code's validity and applicability.

Each of the depicted devices and/or systems may include a software agentor application (“app”) that, when executed, performs one or more actionsas described herein. In some instances, a software agent or app on onedevice is, at least in part, complementary to a software agent or app onanother device (e.g., such that a software agent or app on mobile device110 is, at least in part, complementary to at least part of one onaccess management system 185 and/or a client device; and/or such that asoftware agent or app on intermediate system 150 is, at least in part,complementary to at least part of one on access management system 185).

In some instances, a network in the one or more networks 155 can includean open network, such as the Internet, personal area network, local areanetwork (LAN), campus area network (CAN), metropolitan area network(MAN), wide area network (WAN), wireless local area network (WLAN), aprivate network, such as an intranet, extranet, or other backbone. Insome instances, a network in the one or more networks 155 includes ashort-range communication channel, such as Bluetooth or Bluetooth LowEnergy channel. Communicating using a short-range communication such asBLE channel can provide advantages such as consuming less power, beingable to communicate across moderate distances, being able to detectlevels of proximity, achieving high-level security based on encryptionand short ranges, and not requiring pairing for inter-devicecommunications.

In one embodiment, communications between two or more systems and/ordevices can be achieved by a secure communications protocol, such assecure sockets layer (SSL), transport layer security (TLS). In addition,data and/or transactional details may be encrypted based on anyconvenient, known, or to be developed manner, such as, but not limitedto, DES, Triple DES, RSA, Blowfish, Advanced Encryption Standard (AES),CAST-128, CAST-256, Decorrelated Fast Cipher (DFC), Tiny EncryptionAlgorithm (TEA), eXtended TEA (XTEA), Corrected Block TEA (XXTEA),and/or RC5, etc.

It will be appreciated that, while a variety of devices and systems areshown in FIG. 1, in some instances, resource management system 100 caninclude fewer devices and/or systems. Further, some systems and/ordevices can be combined. For example, a client agent device 170 may alsoserve as an access management system 185 or intermediate system 150 soas to as to facilitate assignment of access rights.

As described in further detail herein, an interaction between mobiledevice 110 and a client device (e.g., client agent device 170, clientregister 160 or client point device 165) can facilitate, for example,verification that user 105 has a valid and applicable access right,obtaining an assignment of an access right, and/or obtaining anassignment of an upgraded access right.

In addition, mobile device 110-2, which is operated by user 125-2, mayinclude a user device that is located at a stadium or concert hallduring an event. Mobile device 110-2 may directly interact with a clientdevice (e.g., client agent device 170, client register 160 or clientpoint device 165), which is also located at the stadium or concert hallduring the event. As such, the access management system 185 may beupdated or accessed by mobile device 110-2 via the client agent device170. For example, mobile device 110-2 may communicate with the clientagent device 170 over a short-range communication channel 190, such asBluetooth or Bluetooth Low Energy channel, Near Field Communication(NFC), Wi-Fi, RFID, Zigbee, ANT, etc. Communicating using a short-rangecommunication such as BLE channel can provide advantages such asconsuming less power, being able to communicate across moderatedistances, being able to detect levels of proximity, achievinghigh-level security based on encryption and short ranges, and notrequiring pairing for inter-device communications. After the short-rangecommunication link 190 is established, mobile device 110-2 maycommunicate with the access management system 185 and access the item oritems of resources. That is, while mobile device B is configured tocommunicate over network 155, mobile device 110-2 may communicate withthe access management system 185 via the client agent device 170,instead of the network 155.

It will be appreciated that various parts of system 100 can begeographically separated. It will further be appreciated that system 100can include a different number of various components rather than anumber depicted in FIG. 1. For example, two or more of access assignmentsystems 185; one or more site systems 180; and intermediate system 150may be located in different geographic locations (e.g., differentcities, states or countries).

FIG. 2 shows an illustration of hardware and network connections of aresource access-facilitating interaction system 200 according to anembodiment of the invention. Each of various user devices 210-1, 210-2,210-3, 210-4 and 210-5 can connect, via one or more inter-networkconnection components (e.g., a router 212) and one or more networks 270to a primary assignment management system 214 or a secondary assignmentmanagement system 216-1, 216-2 or 216-3.

Primary assignment management system 214 can be configured to coordinateand/or control initial assignment of access rights. Secondary assignmentmanagement system 216 can be configured to coordinate and/or controlreassignment and/or transfer of access rights (e.g., from one user oruser device to another or from an intermediate agent to a user or userdevice). Secondary assignment management system 216 may also managetransfer offers (e.g., to allow a first user to identify a price atwhich a transfer request would be granted and to detect if a validrequest is received). It will be appreciated that, although primaryassignment management system 214 is shown to be separate from eachsecondary assignment management system 216, in some instances, anassignment management system may relate to both a primary and secondarychannel, and a single data store or a localized cluster of data storesmay include data from both channels.

Each of primary access assignment system 214 and secondary accessassignment system 216 can include a web server 218 that processes andresponds to HTTP requests. Web server 218 can retrieve and deliverweb-page data to a user device 210 that, for example, identify aresource, identify a characteristic of each of one or more access rightsfor the resource, include an invitation to request assignment of anaccess right, facilitate establishment or updating of an account, and/oridentify characteristics of one or more assigned access rights. Webserver 218 can be configured to support server-side scripting and/orreceive data from user devices 210, such as data from forms or fileuploads.

In some instances, a web server 218 can be configured to communicatedata about a resource and an indication that access rights for theresource are available. Web server 218 can receive a requestcommunication from a user device 210 that corresponds to a request forinformation about access rights. The request can include one or moreconstraints, which can correspond to (for example) values (e.g., to bematched or to define a range) of particular fields.

A management server 222 can interact with web server 218 to provideindications as to which access rights' are available for assignment,characteristics of access rights and/or what data is needed to assign anaccess right. When requisite information is received (e.g., about a userand/or user device, identifying a final request for one or more accessrights, and so on), management server 222 can coordinate an assignmentof the one or more access rights. The coordination can include updatingan access-right data store to change a status of the one or more accessrights (e.g., to assigned); to associate each of the one or more accessrights with a user and/or user device; to generate or identify one ormore access-enabling codes for the one or more access rights; and/or tofacilitate transmission reflecting the assignment (e.g., and includingthe one or more access-enabling codes) to a user device.

Management server 222 can query, update and manage an access-right datastore to identify access rights' availability and/or characteristicand/or to reflect a new assignment. The data store can include oneassociated with the particular assignment system. In some instances, thedata store includes incomplete data about access rights for a resource.For example, a data store 224 at and/or used by a secondary accessassignment system 216 may include data about an incomplete subset ofaccess rights that have been allocated for a particular resource. Toillustrate, a client agent may have indicated that an independentintermediary system can (exclusively or non-exclusively) coordinateassignment of a portion of access rights for a resource but not theremainder. A data store 224 may then, for example, selectively includeinformation (e.g., characteristics, statuses and/or assignmentassociations) for access rights in the portion.

Data store 224 or 226 associated with a particular primary or secondaryaccess assignment system can include assignment data for a set of accessrights that are configured to be set by the particular primary orsecondary access assignment system or by another system. For example, arule can indicate that a given access right is to have an availablestatus until a first of a plurality of access assignment systems assignsthe access right. Accordingly, access assignment systems would then needto communicate to alert each other of assignments.

In one instance, management server 222 (or another server in an accessassignment system) sends a communication to a central data managementserver farm 228 reflecting one or more recent assignments. Thecommunication may include an identification of one or more accessrights, an indication that the access right(s) have been assigned, anidentification of a user and/or user device associated with theassignment and/or one or more access-enabling codes generated oridentified to be associated with the assignment. The communication canbe sent, for example, upon assigning the access right(s), as a precursorto assigning the access right(s) (e.g., to confirm availability and/orrequest assignment authorization), at defined times or time intervalsand/or in response to an assignment-update request received from datamanagement server farm 228.

Data management server farm 228 can then update a central data store toreflect the data from the communication. The central data store can bepart of, for example, a network-attached storage 232 and/or astorage-area network 234.

In some instances, a data store 224 or 226 can include a cache, thatincludes data stored based on previous communications with datamanagement server farm 228. For example, data management server farm 228may periodically transmit statuses of a set of access rights (e.g.,those initially configured to be assignable by an access assignmentsystem) or an updated status (e.g., indicating an assignment) of one ormore access rights. As another example, data management server farm 228may transmit statuses upon receiving a request from an access assignmentsystem for statuses and/or authorization to assign one or more accessrights.

An access assignment system may receive statuses less frequently or attimes unaligned with requests received from user devices requestinginformation about access rights and/or assignments. Rather than initiatea central data store query responsive to each user-device request, amanagement server 222 can rely on cached data (e.g., locally cacheddata) to identify availability of one or more access rights, as reflectin webpage data and/or communications responsive to requestcommunications for access-right information. After requisite informationhas been obtained, management server 222 can then communicate with datamanagement server farm 228 to ensure that one or more particular accessrights have remained available for assignment.

In some instances, one or more of primary access assignment system 214and/or a secondary access assignment system 214 need not include a localor system-inclusive data store for tracking access-right statuses,assignments and/or characteristics. Instead, the access assignmentsystem may communicate with a remote and/or central data store (e.g.,network-attached storage 232 or storage-area network 234).

Access management system 120 can include a primary access assignmentsystem 214 and/or a secondary access assignment system 214; datamanagement server farm 228; and/or a central data store (e.g.,network-attached storage 232 or storage-area network 234). Each of oneor more intermediate systems 130 can include a primary access assignmentsystem 214 and/or a secondary access assignment system 214.

Data management server farm 228 may periodically and/or routinely assessa connection with an access assignment system 214. For example, a testcommunication can be sent that is indicative of a request to respond(e.g., with particular data or generally). If a response communicationis not received, if a response communication is not received within adefined time period and/or if a response communication includesparticular data (e.g., reflecting poor data integrity, network speed,processing speed, etc.), data management server farm 228 may reconfigureaccess rights and/or permissions and/or may transmit anothercommunication indicating that assignment rights of the access assignmentsystem are limited (e.g., to prevent the system from assigning accessrights).

It will be appreciated that various parts of system 200 can begeographically separated. For example, two or more of primary accessassignment system 214; one or more of secondary access assignmentsystems 214; and data management server farm 228 may be located indifferent geographic locations (e.g., different cities, states orcountries).

It will further be appreciated that system 200 can include a differentnumber of various components rather than a number depicted in FIG. 2.For example, system 200 can include multiple data management serverfarms 228, central data stores and/or primary access assignment systems214 (e.g., which can be geographically separated, such as being locatedin different cities, states or countries). In some instances, processingmay be split (e.g., according to a load-balancing technique) acrossmultiple data management server farms 228 and/or across multiple accessassignment systems 214. Meanwhile, the farms and/or systems can beconfigured to accept an increased or full load should another farmand/or system be unavailable (e.g., due to maintenance). Data stored ina central data store may also be replicated in geographically separateddata stores.

FIG. 3 shows an illustration of a communication exchange betweencomponents involved in a resource access-facilitating interaction system300 according to an embodiment of the invention. A user device 310 cansend one or more HTTP requests to a web-server system 318, andweb-server system 318 can respond with one or more HTTP responses thatinclude webpage data. The webpage data can include, for example,information about one or more resources, characteristics of a set ofaccess rights for each of the one or more resources, availability of oneor more access rights, an invitation to request an assignment of one ormore access rights and/or indications as to what information is requiredfor an access-right assignment. HTTP requests can includeassignment-request data (e.g., a resource identification, requisiteinformation, and/or an identification of an access-right constraint oraccess right).

Web-server system 318 can include one or more web processors (e.g.,included in one or more server farms, which may be geographicallyseparated) to, for example, map a path component of a URL to web data(e.g., stored in a local file system or generated by a program);retrieve the web data; and/or generate a response communicationincluding the web data. Web processor can further parse communication toidentify input-corresponding data in HTTP requests, such as field valuesrequired for an access-right assignment.

Web-server system 318 can also include a load balancer to distributeprocessing tasks across multiple web processors. For example, HTTPrequests can be distributed to different web processors. Load-balancingtechniques can be configured so as, for example, to distributeprocessing across servers or server farms, decrease a number of hopsbetween a web server and user device, decrease a geographical locationbetween a user device and web server, etc.

Web-server system 318 can further include a RAID component, such as aRAID controller or card. A RAID component can be configured, forexample, to stripe data across multiple drives, distribute parity acrossdrives and/or mirror data across multiple drives. The RAID component canbe configured to improve reliability and increase request-processingspeeds.

Web-server system 318 can include one or more distributed,non-distributed, virtual, non-virtual, local and/or remote data stores.The data stores can include web data, scripts and/or content object(e.g., to be presented as part or web data).

Some HTTP requests include requests for identifications of access-rightcharacteristics and/or availability. To provide web data reflecting suchinformation, web-server system 318 can request the information fromanother server, such as an SQL system 341 (e.g., which may include oneor more servers or one or more server farms).

SQL system 341 can include one or more SQL processors (e.g., included inone or more server farms, which may be geographically separated). SQLprocessors can be configured to query, update and otherwise use one ormore relational data stores. SQL processors can be configured to execute(and, in some instances, generate) code (e.g., SQL code) to query arelational data store.

SQL system 341 can include a database engine, that includes a relationalengine, OLE database and storage engine. A relational engine canprocess, parse, compile, and/or optimize a query and/or makequery-associated calls. The relational engine can identify an OLE DB rowset that identifies the row with columns matching search criteria and/ora ranking value. A storage engine can manage data access and use therowset (e.g., to access tables and indices) to retrieve query-responsivedata from one or more relational databases.

SQL system 341 can include one or more distributed, non-distributed,virtual, non-virtual, local and/or remote relational data stores. Therelational databases can include linked data structures identifying, forexample, resource information, access-right identifications andcharacteristics, access-right statuses and/or assignments, and/or userand/or user account data. Thus, for example, use of the relationalstructures may facilitate identifying, for a particular user, acharacteristic of an assigned access right and information about aresource associated with the access right.

One or more data structures in a relational data structure may reflectwhether particular access rights have been assigned or remain available.This data may be based on data received from a catalog system 342 thatmonitors and tracks statuses of resource access rights. Catalog system342 can include one or more catalog processors (e.g., included in one ormore server farms, which may be geographically separated). Catalogprocessors can be configured to generate status-update requestcommunications to be sent to one or more access assignment systemsand/or intermediate systems and/or to receive status-updatecommunications from one or more access assignment systems and/orintermediate systems. A status-update communication can, for example,identify an access right and/or resource and indicate an assignment ofthe access right. For example, a status-update communication canindicate that a particular access right has been assigned and is thus nolonger available. In some instances, a status-update communicationidentifies assignment details, such as a user, account and/or userdevice associated with an access-right assignment; a time that theassignment was made; and/or a value associated with the assignment.

In some instances, a status update is less explicit. For example, acommunication may identify an access right and/or resource and request afinal authorization of an assignment of the access right. Catalog system342 can then verify that the access right is available for assignment(e.g., and that a request-associated system or entity is authorized tocoordinate the assignment) and can transmit an affirmative response.Such a communication exchange can indicate (in some instances) that theaccess right is assigned and unavailable for other assignment.

In some instances, catalog system 342 can also be integrated with anon-intermediate access assignment system, such that it can directlydetect assignments. For example, an integrated access assignment systemcan coordinate a message exchange with a user device, can query acatalog data store to identify available access rights and canfacilitate or trigger a status-change of an access right to reflect anassignment (e.g., upon having received all required information.

Whether a result of a direct assignment detection or a status updatefrom an intermediate system, a database engine of catalog system 342 canmanage one or more data stores so as to indicate a current status ofeach of a set of access rights for a resource. The one or more datastores may further identify any assignment constraints. For example,particular access rights may be earmarked so as to only allow one ormore particular intermediate systems to trigger a change to the accessrights' status and/or to assign the access rights.

The database engine can include a digital asset management (DAM) engineto receive, transform (e.g., annotate, reformat, introduce a schema,etc.) status-update communications, and identify other data (e.g., anidentifier of an assigning system and/or a time at which a communicationwas received) to associate with a status update (e.g., an assignment).Therefore, the DAM engine can be configured to prepare storage-updatetasks so as to cause a maintained data store to reflect a recent datachange.

Further, the DAM engine can facilitate handling of data-store queries.For example, a status-request communication or authorization-requestcommunication can be processed to identify variables and/or indices touse to query a data store. A query can then be generated and/or directedto a data store based on the processing. The DAM engine can relay (e.g.,and, potentially, perform intermediate processing to) a query result toa request-associate system.

The database engine can also include a conflict engine, which can beconfigured to access and implement rules indicating how conflicts are tobe handled. For example, catalog system 342 may receive multiplerequests within a time period requesting an assignment authorization (ora hold) for a particular access right. A rule may indicate that a firstrequest is to receive priority, that a request associated with a morehighly prioritized requesting system (e.g., intermediate system) is tobe prioritized, that a request associated with a relatively high (orlow) quantity of access rights identified in the request for potentialassignment are to be prioritized, etc.

The database engine can further include a storage engine configured tomanage data access and/or data updates (e.g., modifying existing data oradding new data). The data managed by and/or accessible to the storageengine can be included in one or more data stores. The data stores caninclude, for example, distributed, non-distributed, virtual,non-virtual, local and/or remote data stores. The data stores caninclude, for example, a relational, non-relational, object, non-object,document and/or non-document data store. Part or all of a data store caninclude a shadow data store, that shadows data from another data store.Part or all of a data store can include an authoritative data store thatis (e.g., directly and/or immediately) updated with access-rightassignment changes (e.g., such that a primary or secondary accessassignment system updates the data store as part of an access-rightassignment process, rather than sending a post-hoc status-updatecommunication reflecting the assignment). In some instances, a datastore an authoritative data store identifies a status for each of a set(e.g., or all) of access rights for a given resource. Should there beany inconsistency between an authoritative data store and another datastore (e.g., at an intermediate system), system 300 can be configuredsuch that the authoritative data store is controlling.

System 300 can further include a replication system 343. Replicationsystem 343 can include one or more replication processors configured toidentify new or modified data, to identify one or more data storesand/or location at which to store the new or modified data and/or tocoordinate replication of the data. In some instances, one or more ofthese identifications and/or coordination can be performed using areplication rule. For example, a replication rule may indicate thatreplication is to be performed in a manner biased towards storingreplicated data at a data store geographically separated from anotherdata store storing the data.

A data duplicator can be configured to read stored data and generate oneor more write commands so as to store the data at a different datastore. A controller can manage transmitting write commands appropriatelyso as to facilitate storing replicated data at identified data stores.Further, a controller can manage data stores, such as a distributedmemory or distributed shared memory, to ensure that a currently activeset of data stores includes a target number of replications of data.

Accordingly, web-server system 318 can interact with user device 310 toidentify available access rights and to collect information needed toassign an access right. Web-server system 318 can interact with SQLsystem 341 so as to retrieve data about particular resources and/oraccess rights so as to configure web data (e.g., via dynamic webpages orscripts) to reflect accurate or semi-accurate information and/orstatuses. SQL system 341 can use relational data stores to quicklyprovide such data. Meanwhile, catalog system 342 may manage one or morenon-relational and/or more comprehensive data stores may be tasked withmore reliably and quickly tracking access-right statuses andassignments. The tracking may include receiving status updates (e.g.,via a push or pull protocol) from one or more intermediate systemsand/or by detecting assignment updates from non-intermediate systems,such as an integrated access assignment system and/or SQL system 341.Catalog system 342 may provide condensed status updates (e.g.,reflecting a binary indication as to whether an access right isavailable) to SQL system 341 periodically, at triggered times and/or inresponse to a request from the SQL system. A replication system 343 canfurther ensure that data is replicated at multiple data stores, so as toimprove a reliability and speed of system 300.

It will be appreciated that various parts of system 300 can begeographically separated. For example, each of user device 310,intermediate system 330, web-server system 318, SQL system 341, catalogsystem 342 and replication 343 may be located in different geographiclocations (e.g., different cities, states or countries).

FIG. 4 illustrates example components of a device 400, such as a clientdevice (e.g., client agent device 140, client register 150 and/or clientpoint device 160), an intermediate system (e.g., intermediate system130) and/or an access management system (e.g., access management system120) according to an embodiment of the invention.

The components can include one or more modules that can be installed ondevice 400. Modules can include some or all of the following: a networkinterface module 402 (which can operate in a link layer of a protocolstack), a message processor module 404 (which can operate in an IP layerof a protocol stack), a communications manager module 406 (which canoperate in a transport layer of a protocol stack), a communicationsconfigure module 408 (which can operate in a transport and/or IP layerin a protocol stack), a communications rules provider module 410 (whichcan operate in a transport and/or IP layer in a protocol stack),application modules 412 (which can operate in an application layer of aprotocol stack), a physical access control module 432 and one or moreenvironmental sensors 434.

Network interface module 402 receives and transmits messages via one ormore hardware components that provide a link-layer interconnect. Thehardware component(s) can include, for example, RF antenna 403 or a port(e.g., Ethernet port) and supporting circuitry. In some embodiments,network interface module 402 can be configured to support wirelesscommunication, e.g., using Wi Fi (IEEE 802.11 family standards),Bluetooth® (a family of standards promulgated by Bluetooth SIG, Inc.),BLE, or near-field communication (implementing the ISO/IEC 18092standards or the like).

RF antenna 403 can be configured to convert electric signals into radioand/or magnetic signals (e.g., to radio waves) to transmit to anotherdevice and/or to receive radio and/or magnetic signals and convert themto electric signals. RF antenna 403 can be tuned to operate within aparticular frequency band. In some instances, a device includes multipleantennas, and the antennas can be, for example, physically separated. Insome instances, antennas differ with respect to radiation patterns,polarizations, take-off angle gain and/or tuning bands. RF interfacemodule 402 can include one or more phase shifters, filters, attenuators,amplifiers, switches and/or other components to demodulate receivedsignals, coordinate signal transmission and/or facilitate high-qualitysignal transmission and receipt.

In some instances, network interface module 402 includes a virtualnetwork interface, so as to enable the device to utilize an intermediatedevice for signal transmission or reception. For example, networkinterface module 402 can include VPN software.

Network interface module 402 and one or more antennas 403 can beconfigured to transmit and receive signals over one or more connectiontypes. For example, network interface module 402 and one or moreantennas 403 can be configured to transmit and receive WiFi signals,cellular signals, Bluetooth signals, Bluetooth Low Energy (BLE) signals,Zigbee signals, or Near-Field Communication (NFC) signals.

Message processor module 404 can coordinate communication with otherelectronic devices or systems, such as one or more servers or a userdevice. In one instance, message processor module 404 is able tocommunicate using a plurality of protocols (e.g., any known, futureand/or convenient protocol such as, but not limited to, XML, SMS, MMS,and/or email, etc.). Message processor module 404 may further optionallyserialize incoming and/or outgoing messages and facilitate queuing ofincoming and outgoing message traffic.

Message processor module 404 can perform functions of an IP layer in anetwork protocol stack. For example, in some instances, messageprocessor module 404 can format data packets or segments, combine datapacket fragments, fragment data packets and/or identify destinationapplications and/or device addresses. For example, message processormodule 404 can defragment and analyze an incoming message to determinewhether it is to be forwarded to another device and, if so, can addressand fragment the message before sending it to the network interfacemodule 402 to be transmitted. As another example, message processormodule 404 can defragment and analyze an incoming message to identify adestination application that is to receive the message and can thendirect the message (e.g., via a transport layer) to the application.

Communications manager module 406 can implement transport-layerfunctions. For example, communications manager module 406 can identify atransport protocol for an outgoing message (e.g., transmission controlprotocol (TCP) or user diagram protocol (UDP)) and appropriatelyencapsulate the message into transport protocol data units. Messageprocessor module 404 can initiate establishment of connections betweendevices, monitor transmissions failures, control data transmission ratesand monitoring transmission quality. As another example, communicationsmanager module 406 can read a header of an incoming message to identifyan application layer protocol to receive the message's data. The datacan be separated from the header and sent to the appropriateapplication. Message processor module 404 can also monitor the qualityof incoming messages and/or detect out of order incoming packets.

In some instances, characteristics of message-receipt ormessage-transmission quality can be used to identify a health status ofan established communications link. In some instances, communicationsmanager module 406 can be configured to detect signals indicating thehealth status of an established communications link (e.g., a periodicsignal from the other device system, which if received without dropouts,indicates a healthy link).

In some instances, a communication configurer module 408 is provided totrack attributes of another system so as to facilitate establishment ofa communication session. In one embodiment, communication configurermodule 408 further ensures that inter-device communications areconducted in accordance with the identified communication attributesand/or rules. Communication configurer module 408 can maintain anupdated record of the communication attributes of one or more devices orsystems. In one embodiment, communications configurer module 408 ensuresthat communications manager module 406 can deliver the payload providedby message processor module 404 to the destination (e.g., by ensuringthat the correct protocol corresponding to the client system is used).

A communications rules provider module 410 can implement one or morecommunication rules that relate to details of signal transmissions orreceipt. For example, a rule may specify or constrain a protocol to beused, a transmission time, a type of link or connection to be used, adestination device, and/or a number of destination devices. A rule maybe generally applicable or conditionally applicable (e.g., only applyingfor messages corresponding to a particular app, during a particular timeof day, while a device is in a particular geographical region, when ausage of a local device resource exceeds a threshold, etc.). Forexample, a rule can identify a technique for selecting between a set ofpotential destination devices based on attributes of the set ofpotential destination devices as tracked by communication configuremodule 408. To illustrate, a device having a short response latency maybe selected as a destination device. As another example, communicationsrules provider 410 can maintain associations between various devices orsystems and resources. Thus, messages corresponding to particularresources can be selectively transmitted to destinations having accessto such resources.

A variety of application modules 412 can be configured to initiatemessage transmission, process incoming transmissions, facilitateselective granting of resource access, facilitate processing of requestsfor resource access, and/or performing other functions. In the instancedepicted in FIG. 4, application modules 412 include an auto-updatermodule 414, a resource access coordinator module 416, and/or a codeverification module 418.

Auto-updater module 414 automatically updates stored data and/or agentsoftware based on recent changes to resource utilization, availabilityor schedules and/or updates to software or protocols. Such updates canbe pushed from another device (e.g., upon detecting a change in aresource availability or access permit) or can be received in responseto a request sent by device 400. For example, device 400 can transmit asignal to another device that identifies a particular resource, and aresponsive signal can identify availabilities of access to the resource(e.g., available seat reservations for a sporting event or concert). Asanother example, device 400 can transmit a signal that includes anaccess access-enabling code, and a responsive signal can indicatewhether the code is applicable for access of a particular resourceand/or is valid.

In some instances, auto-updater module 414 is configured to enable theagent software to understand new, messages, commands, and/or protocols,based on a system configuration/change initiated on another device.Auto-updater module 414 may also install new or updated software toprovide support and/or enhancements, based on a system configurationchange detected on device 400. System configuration changes that wouldnecessitate changes to the agent software can include, but are notlimited to, a software/hardware upgrade, a security upgrade, a routerconfiguration change, a change in security settings, etc. For example,if auto-updater module 414 determines that a communication link withanother device has been lost for a pre-determined amount of time,auto-updater module 414 can obtain system configuration information tohelp re-establish the communication link. Such information may includenew settings/configurations on one or more hardware devices or new orupgraded software on or connected to device 400. Thus, auto-updatermodule 414 can detect or be informed by other software when there is anew version of agent software with additional functionality and/ordeficiency/bug corrections or when there is a change with respect to thesoftware, hardware, communications channel, etc.), and perform updatesaccordingly.

Based on the newly obtained system configuration for device 400,auto-updater module 414 can cause a new communication link to bere-established with another device. In one embodiment, uponestablishment of the communication link, system configurationinformation about device 400 can also be provided to another device tofacilitate the connection to or downloading of software to device 400.

In one embodiment, when a poor health signal is detected by anotherdevice (e.g., when the health signal is only sporadically received butthe communication link is not necessarily lost), the other device cansend a command to auto-updater module 414 to instruct auto-updatermodule 414 to obtain system configuration information about device 400.The updated system configuration information may be used in an attemptto revive the unhealthy communications link (e.g., by resending aresource request). For example, code can utilize appropriate systemcalls for the operating system to fix or reestablish communications. Byway of example and not limitation, model and driver information isoptionally obtained for routers in the system in order querying them. Byway of further example, if the code determines that a new brand ofrouter has been installed, it can adapt to that change, or to the changein network configuration, or other changes.

Instead or in addition, the host server (e.g., via communicationsmanager 406) can send specific instructions to auto-updater module 414to specify tests or checks to be performed on device 400 to determinethe changes to the system configurations (e.g., by automaticallyperforming or requesting an inventory check of system hardware and/orsoftware). For example, the components involved in the chain of hopsthrough a network can be queried and analyzed. Thus, for example, if anew ISP (Internet service provider) is being used and the managementsystem traffic is being filtered, or a new router was installed and thesoftware needs to change its configuration, or if someone made a changeto the operating system that affects port the management system is usingto communicate, the management system (or operator) can communicate withthe ISP, change it back, or choose from a new available port,respectively.

The specific tests may be necessary to help establish the communicationlink, if, for example, the automatic tests fail to provide sufficientinformation for the communication link to be re-established, ifadditional information is needed about a particular configurationchange, and/or if the client system is not initially supported by theauto-updater module 414, etc.

Auto-updater module 414 can also receive signals identifying updatespertaining to current or future availability of resources and/or accesspermits. Based on the signals, auto-updater module 414 can modify, addto or delete stored data pertaining to resource availabilities, resourceschedules and/or valid access permits. For example, upon receiving anupdate signal, auto-updater 414 can modify data stored in one or moredata stores 422, such as an account data store 424, resourcespecification data store 426, resource status data store 428 and/oraccess-enabling code data store 430.

Account data store 424 can store data for entities, such asadministrators, intermediate-system agents and/or users. The accountdata can include login information (e.g., username and password),identifying information (e.g., name, residential address, phone number,email address, age and/or gender), professional information (e.g.,occupation, affiliation and/or professional position), preferences(e.g., regarding event types, performers, seating areas, and/or resourcetypes), assignment data (e.g., reflecting dates, values and/or items ofpast purchases). The account data can also or alternatively includetechnical data, such a particular entity can be associated with one ormore device types, IP addresses, browser identifier and/or operatingsystem identifier).

Resource specification data store 426 can store specification datacharacterizing each of one or more resources. For example, specificationdata for a resource can include a processing power, available memory,operating system, compatibility, device type, processor usage, powerstatus, device model, number of processor cores, types of memories, dateand time of availability, a performing entity, a venue of the eventand/or a set of seats (e.g., a chart or list). Specification data canfurther identify, for example, a cost for each of one or more accessrights.

Resource status data store 428 can store status data reflecting whichresources are available (or unavailable), thereby indicating whichresources have one or more open assignments. In some instances, thestatus data can include schedule information about when a resource isavailable. Status data can include information identifying an entity whorequested, reserved or was assigned a resource. In some instances,status information can indicate that a resource is being held orreserved and may identify an entity associated with the hold or reserveand/or a time at which the hold or reservation will be released.

Access-enabling code data store 430 can store access-enabling code datathat includes one or more codes and/or other information that can beused to indicate that an entity is authorized to use, have or receive aresource. An access-enabling code can include, for example, a numericstring, an alphanumeric string, a text string, a 1-dimensional code, a2-dimensional code, a barcode, a quick response (QR) code, an image, astatic code and/or a temporally dynamic code. An access-enabling codecan be, for example, unique across all instances, resource types and/orentities. For example, access-enabling codes provided in association fortickets to a particular event can be unique relative to each other. Insome instances, at least part of a code identifies a resource orspecification of a resource. For example, for a ticket to a concert,various portions of a code may reflect: a performing entity, resourcelocation, date, section and access-permitted location identifier.

One or more of data stores 424, 426, 428, and 430 can be a relationaldata store, such that elements in one data store can be referencedwithin another data store. For example, resource status data store 428can associate an identifier of a particular ticket with an identifier ofa particular entity. Additional information about the entity can then beretrieved by looking up the entity identifier in account data store 424.

Updates to data stores 424, 426, 428, and 430 facilitated and/orinitiated by auto-updater module 414 can improve cross-device dataconsistency. Resource access coordinator module 416 can coordinateresource access by, for example, generating and distributingidentifications of resource availabilities; processing requests forresource access; handling competing requests for resource access; and/orreceiving and responding to resource-offering objectives.

FIG. 5 illustrates example components of resource access coordinatormodule 416 that may operate, at least in part, at an access managementsystem (e.g., access management system) according to an embodiment ofthe invention. A resource specification engine 502 can identify one ormore available resources. For example, resource specification engine 502can detect input that identifies a current or future availability of anew resource.

Resource specification engine 502 can identify one or morespecifications of each of one or more resources. A specification caninclude an availability time period. For example, resource specificationengine 502 can determine that a resource is available, for example, at aparticular date and time (e.g., as identified based on input), for atime period (e.g., a start to end time), as identified in the input,and/or from a time of initial identification until another inputindicating that the resource is unavailable is detected. A specificationcan also or alternatively include a location (e.g., a geographiclocation and/or venue) of the resource. A specification can also oralternatively include one or more parties associated with the resource(e.g., performing acts or teams). Resource specification engine 502 canstore the specifications in association with an identifier of theresource in resource specifications data store 426.

A resource-access allocation engine 504 can allocate access rights forindividual resources. An access right can serve to provide an associatedentity with the right or a priority to access a resource. Because (forexample) association of an access right with an entity can, in someinstances, be conditioned on authorization thereof, an allocated accessright can be initially unassociated with particular entities (e.g.,users). For example, an allocated right can correspond to one or moreaccess characteristics, such as an processor identifier, a usage time, amemory allocation, a geographic location (e.g., section or seatidentifier), and/or a fee. For an allocated access right,resource-access allocation engine 504 can store an identifier of theright in resource statuses data store 428 in association with anidentifier for the resource and an indication that it has not yet beenassigned to a particular entity.

A communication engine 506 can facilitate communicating the availabilityof the resource access rights to users. In some instances, a publisherengine 508 generates a presentation that identifies a resource andindicates that access rights are available. Initially or in response touser interaction with the presentation, the presentation can identifyaccess characteristics about available access rights. The presentationcan include, for example, a chart that identifies available accessrights for an event and corresponding fees. Publisher engine 508 candistribute the presentation via, for example, a website, app page, emailand/or message. The presentation can be further configured to enable auser to request assignments of one or more access rights.

In some instances, an intermediate system coordination engine 510 canfacilitate transmission of information about resource availability(e.g., resource specifications and characteristics of resource-accessrights) to one or more intermediate systems (e.g., by generating one ormore messages that include such information and/or facilitatingpublishing such information via a website or app page). Each of the oneor more intermediate systems can publish information about the resourceand accept requests for resource access. In some instances, intermediatesystem coordination engine 510 identifies different access rights asbeing available to individual intermediate systems to coordinateassignment. For example, access rights for seats in Section 1 may beprovided for a first intermediate system to assign, and access rightsfor seats in Section 2 may be provided to a second intermediate systemto assign.

In some instances, overlapping access rights are made available tomultiple intermediate systems to coordinate assignments. For example,some or all of a first set of resource rights (e.g., corresponding to asection) may be provided to first and second intermediate systems. Insuch instances, intermediate system coordination engine 510 can respondto a communication from a first intermediate system indicating that arequest has been received (e.g., and processed) for an access right inthe set) by sending a notification to one or more other intermediatesystems that indicates that the access right is to be at leasttemporarily (or entirely) made unavailable.

Intermediate system coordination engine 510 can monitor communicationchannels with intermediate systems to track the health and security ofthe channel. For example, a healthy connection can be inferred whenscheduled signals are consistently received. Further, intermediatesystem coordination engine 510 can track configurations of intermediatesystems (e.g., via communications generated at the intermediate systemsvia a software agent that identifies such configurations) so as toinfluence code generation, communication format, and/or provisions oraccess rights.

Thus, either via a presentation facilitated by publisher engine 508(e.g., via a web site or app page) or via communication with anintermediate system, a request for assignment of an access right can bereceived. A request management engine 512 can process the request.Processing the request can include determining whether all otherrequired information has been received, such as user-identifyinginformation (e.g., name), access-right identifying information (e.g.,identifying a resource and/or access-right characteristic) user contactinformation (e.g., address, phone number, and/or email address), and/oruser device information (e.g., type of device, device identifier, and/orIP address).

When all required information has not been received, request managementengine 512 can facilitate collection of the information (e.g., via awebpage, native application page or communication to an intermediatesystem). Request management engine 512 can also or alternatively obtaininformation associated with the completion of a request (received from auser device) for assignment of one or more access rights. In someinstances, request management engine 512 retrieves data from a userprofile. For example, publisher engine 508 may indicate that a requestfor an access right has been received while a user was logged into aparticular profile. Request management engine 512 may then retrieve, forexample, contact information, device information, and/or preferencesassociated with the profile from account data store 424.

In some instances, request management engine 512 prioritizes requests,such as requests for overlapping, similar or same access rights (e.g.,requests for access rights associated with a same section) receivedwithin a defined time period. The prioritization can be based on, forexample, times at which requests were received (e.g., prioritizingearlier requests), a request parameter (e.g., prioritizing requests fora higher or lower number of access rights above others), whetherrequests were received via an intermediate system (e.g., prioritizingsuch requests lower than others), intermediate systems associated withrequests (e.g., based on rankings of the systems), whether requests wereassociated with users having established accounts, and/or whetherrequests were associated with inputs indicative of a bot initiating therequest (e.g., shorter inter-click intervals, failed CAPTCHA tests,assignment history departing from a human profile).

Upon determining that required information has been received andrequest-processing conditions have been met, request management engine512 can forward appropriate request information to a resource schedulingengine 514. For a request, resource scheduling engine 514 can queryresource status data store 428 to identify access rights matchingparameters of the request.

In some instances, the request has an access-right specificity matchinga specificity at which access rights are assigned. In some instances,the request is less specific, and resource scheduling engine 514 canthen facilitate an identification of particular rights to assign. Forexample, request management engine 512 can facilitate a communicationexchange by which access right characteristics matching the request areidentified, and a user is allowed to select particular rights. Asanother example, request management engine 512 can itself select fromamongst matching access rights based on a defined criterion (e.g., bestsummed or averaged access-right ranking, pseudo-random selection, or aselection technique identified based on user input).

Upon identifying appropriately specific access rights, resourcescheduling engine 514 can update resource status data store 428 so as toplace the access right(s) on hold (e.g., before completion of therequest) and/or to change a status of the access right(s) to indicatethat they have been assigned. Such assignment indication may associateinformation about the user (e.g., user name, device information, phonenumber and/or email address) and/or assignment process (e.g., identifierof any intermediate system and/or assignment date and time) with anidentifier of the access right(s).

For individual assigned access rights, an encoding engine 516 cangenerate an access-enabling code. The access-enabling code can include,for example, an alphanumeric string, a text string, a number, a graphic,a barcode (e.g., a 1-dimensional or 2-dimensional barcode), a staticcode, a dynamic code (e.g., with a feature depending on a current time,current location or communication) and/or a technique for generating thecode (e.g., whereby part of the code may be static and part of the codemay be determined using the technique). The code may be unique acrossall access rights, all access rights for a given resource, all accessrights associated with a given location, all access rights associatedwith a given time period, all resources and/or all users. In someinstances, at least part of the code is determined based on or isthereafter associated with an identifier of a user, user deviceinformation, a resource specification and/or an access rightcharacteristic.

In various embodiments, the code may be generated prior to allocatingaccess rights (e.g., such that each of some or all allocated accessrights are associated with an access-enabling code), prior to or whileassigning one or more access right(s) responsive to a request (e.g.,such that each of some or all assigned access rights are associated withan access-enabling code), at a prescribed time, and/or when the deviceis at a defined location and/or in response to user input. The code maybe stored at or availed to a user device. In various instances, at theuser device, an access-enabling code may be provided in a manner suchthat it is visibly available for user inspection or concealed from auser. For example, a ticket document with a barcode may be transmittedto a user device, or an app on the user device can transmit a requestwith a device identifier for a dynamic code.

Encoding engine 516 can store the access-enabling codes inaccess-enabling code data store 430. Encoding engine 516 can also oralternatively store an indication in account data store 424 that theaccess right(s) have been assigned to the user. It will again beappreciated that data stores 424, 426, 428, and 430 can be relationaland/or linked, such that, for example, an identification of anassignment can be used to identify one or more access rights, associatedaccess-enabling code(s) and/or resource specifications.

Resource scheduling engine 514 can facilitate one or more transmissionsof data pertaining to one or more assigned access rights to a device ofa user associated with the assignment. The data can include anindication that access rights have been assigned and/or details as towhich rights have been assigned. The data can also or alternativelyinclude access-enabling codes associated with assigned access rights.

While FIG. 5 depicts components of resource access coordinator module516 that may be present on an access management system 120, it will beappreciated that similar or complementary engines may be present onother systems. For example, a communication engine on a user device canbe configured to display presentations identifying access rightavailability, and a request management engine on a user device can beconfigured to translate inputs into access-right requests to send to anintermediate system or access management system.

Returning to FIG. 4, code verification module 418 (e.g., at a userdevice or client device) can analyze data to determine whether anaccess-enabling code is generally valid and/or valid for a particularcircumstance. The access-enabling code can include one that is receivedat or detected by device 400. The analysis can include, for example,determining whether all or part of the access-enabling code matches onestored in access-enabling code data store 430 or part thereof, whetherthe access-enabling code has previously been applied, whether all orpart of the access-enabling code is consistent with itself or otherinformation (e.g., one or more particular resource specifications, acurrent time and/or a detected location) as determined based on aconsistency analysis and/or whether all or part of the access-enablingcode has an acceptable format.

For example, access-enabling code data store 430 can be organized in amanner such that access-enabling codes for a particular resource, date,resource group, client, etc. can be queried to determine whether anysuch access-enabling codes correspond to (e.g. match) one beingevaluated, which may indicate that the code is verified. Additionalinformation associated with the code may also or alternatively beevaluated. For example, the additional information can indicate whetherthe code is currently valid or expired (e.g., due to a previous use ofthe code).

As another example, a portion of an access-enabling code can include anidentifier of a user device or user account, and code verificationmodule 418 can determine whether the code-identified device or accountmatches that detected as part of the evaluation. To illustrate, device400 can be a client device that electronically receives a communicationwith an access-enabling code from a user device. The communication canfurther include a device identifier that identifies, for example, thatthe user device is a particular type of smartphone. Code verificationmodule 418 can then determine whether device-identifying information inthe code is consistent with the identified type of smartphone.

As yet another example, code verification module 418 can identify a codeformat rule that specifies a format that valid codes are to have. Toillustrate, the code format rule may identify a number of elements thatare to be included in the code or a pattern that is to be present in thecode. Code verification module 418 can then determine that a code is notvalid if it does not conform to the format.

Verification of an access-enabling code can indicate that access to aresource is to be granted. Conversely, determining that a code is notverified can indicate that access to a resource is to be limited orprevented. In some instances, a presentation is generated (e.g., andpresented) that indicates whether access is to be granted and/or aresult of a verification analysis. In some instances, access grantingand/or limiting is automatically affected. For example, upon a codeverification, a user device and/or user may be automatically permittedto access a particular resource. Accessing a resource may include, forexample, using a computational resource, possessing an item, receiving aservice, entering a geographical area, and/or attending an event (e.g.,generally or at a particular location).

Verification of an access-enabling code can further trigger amodification to access-enabling code data store 430. For example, a codethat has been verified can be removed from the data store or associatedwith a new status. This modification may limit attempts to use a samecode multiple times for resource access.

A combination of modules 414, 416, 418 comprise a secure addressableendpoint agent 420 that acts as an adapter and enables cross-deviceinterfacing in a secure and reliable fashion so as to facilitateallocation of access-enabling codes and coordinate resource access.Secure addressable endpoint agent 420 can further generate a healthsignal that is transmitted to another device for monitoring of a statusof a communication channel. The health signal is optionally a shortmessage of a few bytes or many bytes in length that may be transmittedon a frequent basis (e.g., every few milliseconds or seconds). Acommunications manager 406 on the receiving device can then monitors thehealth signal provided by the agent to ensure that the communicationlink between the host server and device 400 is still operational.

In some instances, device 400 can include (or can be in communicationwith) a physical access control 432. Physical access control 432 caninclude a gating component that can be configured to provide a physicalbarrier towards accessing a resource. For example, physical accesscontrol 432 can include a turnstile or a packaging lock.

Physical access control 432 can be configured such that it can switchbetween two modes, which differ in terms of a degree to which useraccess to a resource is permitted. For example, a turnstile may have alocked mode that prevents movement of an arm of the turnstile and anunlocked mode that allows the arm to be rotated. In some instances, adefault mode is the mode that is more limiting in terms of access.

Physical access control 432 can switch its mode in response to receivingparticular results from code verification module 418. For example, uponreceiving an indication that a code has been verified, physical accesscontrol 432 can switch from a locked mode to an unlocked mode. It mayremain in the changed state for a defined period of time or until anaction or event is detected (e.g., rotation of an arm).

Device 400 can also include one or more environmental sensors 434.Measurements from the sensor can processed by one or more applicationmodules. Environmental sensor(s) 434 can include a global positioningsystem (GPS) receiver 435 that can receive signals from one or more GPSsatellites. A GPS chipset can use the signals to estimate a location ofdevice 400 (e.g., a longitude and latitude of device 400). The estimatedlocation can be used to identify a particular resource (e.g., one beingoffered at or near the location at a current or near-term time). Theidentification of the particular resource can be used, for example, toidentify a corresponding (e.g., user-associated) access-enabling code orto evaluate an access-enabling code (e.g., to determine whether itcorresponds to a resource associated with the location).

The estimated location can further or alternatively be used to determinewhen to perform a particular function. For example, at a user device,detecting that the device is in or has entered a particular geographicalregion (e.g., is within a threshold distance from a geofence perimeteror entrance gate) can cause the device to retrieve or request anaccess-enabling code, conduct a verification analysis of the code and/ortransmit the code to a client device.

It will be appreciated that environmental sensor(s) 434 can include oneor more additional or alternative sensors aside from GPS receiver 435.For example, a location of device 400 can be estimated based on signalsreceived by another receive from different sources (e.g., base stations,client point devices or Wi Fi access points). As another example, anaccelerometer and/or gyroscope can be provided. Data from these sensorscan be used to infer when a user is attempting to present anaccess-enabling code for evaluation.

It will also be appreciated that the components and/or engines depictedin figures herein are illustrative, and a device need not include eachdepicted component and/or engine and/or can include one or moreadditional components and/or engines. For example, a device can alsoinclude a user interface, which may include a touch sensor, keyboard,display, camera and/or speakers. As another example, a device caninclude a power component, which can distribute power to components ofthe device. The power component can include a battery and/or aconnection component for connecting to a power source. As yet anotherexample, a module in the application layer can include an operatingsystem. As still another example, an application-layer control processormodule can provide message processing for messages received from anotherdevice. The message processing can include classifying the message androuting it to the appropriate module. To illustrate, the message can beclassified as a request for resource access or for an access-enablingcode, an update message or an indication that a code has been redeemedor verified. The message processing module can further convert a messageor command into a format that can interoperate with a target module.

It will further be appreciated that the components, modules and/oragents could be implemented in one or more instances of software. Thefunctionalities described herein need not be implemented in separatemodules, for example, one or more functions can be implemented in onesoftware instance and/or one software/hardware combination. Othercombinations are similarly be contemplated.

Further yet, it will be appreciated that a storage medium (e.g., usingmagnetic storage media, flash memory, other semiconductor memory (e.g.,DRAM, SRAM), or any other non-transitory storage medium, or acombination of media, and can include volatile and/or non-volatilemedia) can be used to store program code for each of one or more of thecomponents, modules and/or engines depicted in FIGS. 4 and 5 and/or tostore any or all data stores depicted in FIG. 4 or described withreference to FIGS. 4 and/or 5. Any device or system disclosed herein caninclude a processing subsystem for executing the code. The processingsystem can be implemented as one or more integrated circuits, e.g., oneor more single-core or multi-core microprocessors or microcontrollers,examples of which are known in the art.

FIG. 6 illustrates a flowchart of an embodiment of a process 600 forassigning access rights for resources. Process 600 can be performed byan access management system, such as access management system 120.Process 600 begins at block 605 where resource specification engine 502identifies one or more specifications for a resource. The specificationscan include, for example, a time at which the resource is to beavailable, a location of the resource, a capacity of the resourcesand/or one or more entities (e.g., performing entities) associated withthe resource.

At block 610, resource-access allocation engine 504 allocates a set ofaccess rights for the resource. In some instances, each of at least someof the access rights corresponds to a different access parameter, suchas a different location (e.g., seat) assignment. Upon allocation, eachof some or all of the access rights may have a status as available. Asubset of the set of access rights can be immediately (or at a definedtime) assigned or reserved according to a base assignment or reservationrule (e.g., assigning particular access rights to particular entities,who may be involved in or related to provision of the resource and/orwho have requested or been assigned a set of related access rights.

At block 615, communication engine 506 transmits the resourcespecifications and data about the access rights. The transmission canoccur in one or more transmissions. The transmission can be to, forexample, one or more user devices and/or intermediate systems. In someinstances, a notification including the specifications and access-rightdata is transmitted, and in some instances, a notification can begenerated at a receiving device based on the specifications andaccess-right data. The notification can include, for example, a websitethat identifies a resource (via, at least in part, its specifications)and indicates that access rights for the resource are available forassignment. The notification can include an option to request assignmentof one or more access rights.

At block 620, request management engine 512 receives a request for oneor more access rights to be assigned to a user. The request can, forexample, identify particular access rights and/or access parameters. Therequest can include or be accompanied by other information, such asidentifying information. In some instances, the access management systemcan use at least some of such information to determine whether a fee forthe access rights has been authorized. In some instances, the request isreceived via an intermediate system that has already handled suchauthorization.

At block 625, resource scheduling engine 514 assigns the requested oneor more access rights to the user. The assignment can be conditioned onreceipt of all required information, confirmation that the accessright(s) have remained available for assignment, determining using datacorresponding to the request that a bot-detection condition is notsatisfied, fee provision and/or other defined conditions. Assignment ofthe access right(s) can include associating an identifier of each of theone or more rights with an identifier of a user and/or assignment and/orchanging a status of the access right(s) to assigned. Assignment of theaccess right(s) can result in impeding or preventing other users fromrequesting the access right(s), being assigned the access right(s)and/or being notified that the access right(s) are available forassignment. Assignment of the access right(s) can, in some instances,trigger transmission of one or more communications to, for example, oneor more intermediate systems identifying the access right(s) andindicating that they have been assigned and/or with an instruction tocease offering the access rights.

At block 630, encoding engine 516 generates an access-enabling code foreach of the one or more access rights. The code can be generated, forexample, as part of the assignment, as part of the allocation orsubsequent to the assignment (e.g., upon detecting that a user isrequesting access to the resource). Generating an access-enabling codecan include applying a code-generation technique, such on one thatgenerates a code based on a characteristic of a user, user device,current time, access right, resource, intermediate system or othervariable. The access-enabling code can include a static code that willnot change after it has been initially generated or a dynamic code thatchanges in time (e.g., such that block 630 can be repeated at varioustime points).

At block 635, communication engine 506 transmits a confirmation of theassignment and the access-enabling code(s) in one or more transmissions.The transmission(s) may be sent to one or more devices, such as a userdevice having initiated the request from block 620, a remote server oran intermediate system having relayed the request from block 620.

Referring to FIG. 7A, an embodiment of a site system 180 is shown inrelation to mobile devices 724-n, Network Attached Storage (NAS) 750,site network 716 and the network 728. In some embodiments, for attendeesof a live event or concert, site network 716 and site system 180 providecontent, services and/or interactive engagement using mobile devices724. Connections to site system 180 and site network 716 can beestablished by mobile devices 724 connecting to access points 720.Mobile devices 724 can be a type of end user device 110 that isportable, e.g., smartphones, mobile phones, tablets, and/or othersimilar devices.

Site network 716 can have access to content (information aboutattendees, videos, pictures, music, trivia information, etc.) held byNAS 750. Additionally, as described herein, content can be gathered fromattendees both before and during the event. By connecting to sitenetwork 716, mobile device 724 can send content for use by site system180 or display content received from NAS 750.

Referring to FIG. 7B, another embodiment of a site system 180 is shownin relation to mobile devices 724-n, Network Attached Storage (NAS) 750,site network 716 and the network 728, in an embodiment. FIG. 7Badditionally includes phone switch 740. In some embodiments, phoneswitch 740 can be a private cellular base station configured to spoofthe operation of conventionally operated base stations. Using phoneswitch 740 at an event site allows site system 180 to provide additionaltypes of interactions with mobile devices 724. For example, without anysetup or configuration to accept communications from site controller712, phone switch 740 can cause connected mobile devices 724 to ringand, when answered, have an audio or video call be established. Whenused with other embodiments described herein, phone switch 740 canprovide additional interactions. For example, some embodiments describedherein use different capabilities of mobile devices 724 to cause masssounds and/or establish communications with two or more people. Bycausing phones to ring and by establishing cellular calls, phone switchcan provide additional capabilities to these approaches.

FIG. 8 shows a block diagram of user device 110 according to anembodiment. User device 110 includes a handheld controller 810 that canbe sized and shaped so as enable the controller and user device 110 in ahand. Handheld controller 810 can include one or more user-deviceprocessors that can be configured to perform actions as describedherein. In some instances, such actions can include retrieving andimplementing a rule, retrieving an access-enabling code, generating acommunication (e.g., including an access-enabling code) to betransmitted to another device (e.g., a nearby client-associated device,a remote device, a central server, a web server, etc.), processing areceived communication (e.g., to perform an action in accordance with aninstruction in the communication, to generate a presentation based ondata in the communication, or to generate a response communication thatincludes data requested in the received communication) and so on.

Handheld controller 810 can communicate with a storage controller 820 soas to facilitate local storage and/or retrieval of data. It will beappreciated that handheld controller 810 can further facilitate storageand/or retrieval of data at a remote source via generation ofcommunications including the data (e.g., with a storage instruction)and/or requesting particular data.

Storage controller 820 can be configured to write and/or read data fromone or more data stores, such as an application storage 822 and/or auser storage 824. The one or more data stores can include, for example,a random access memory (RAM), dynamic random access memory (DRAM),read-only memory (ROM), flash-ROM, cache, storage chip, and/or removablememory. Application storage 822 can include various types of applicationdata for each of one or more applications loaded (e.g., downloaded orpre-installed) onto user device 110. For example, application data caninclude application code, settings, profile data, databases, sessiondata, history, cookies and/or cache data. User storage 824 can include,for example, files, documents, images, videos, voice recordings and/oraudio. It will be appreciated that user device 110 can also includeother types of storage and/or stored data, such as code, files and datafor an operating system configured for execution on user device 110.

Handheld controller 810 can also receive and process (e.g., inaccordance with code or instructions generated in correspondence to aparticular application) data from one or more sensors and/or detectionengines. The one or more sensors and/or detection engines can beconfigured to, for example, detect a presence, intensity and/or identifyof (for example) another device (e.g., a nearby device or devicedetectable over a particular type of network, such as a Bluetooth,Bluetooth Low-Energy or Near-Field Communication network); anenvironmental, external stimulus (e.g., temperature, water, light,motion or humidity); an internal stimulus (e.g., temperature); a deviceperformance (e.g., processor or memory usage); and/or a networkconnection (e.g., to indicate whether a particular type of connection isavailable, a network strength and/or a network reliability).

FIG. 8 shows several exemplary sensors and detection engines, includinga peer monitor 830, accelerometer 832, gyroscope 834, light sensor 836and location engine 838. Each sensor and/or detection engine can beconfigured to collect a measurement or make a determination, forexample, at routine intervals or times and/or upon receiving acorresponding request (e.g., from a processor executing an applicationcode).

Peer monitor 830 can monitor communications, networks, radio signals,short-range signals, etc., which can be received by a receiver of userdevice 110) Peer monitor 830 can, for example, detect a short-rangecommunication from another device and/or use a network multicast orbroadcast to request identification of nearby devices. Upon or whiledetecting another device, peer monitor 830 can determine an identifier,device type, associated user, network capabilities, operating systemand/or authorization associated with the device. Peer monitor 530 canmaintain and update a data structure to store a location, identifierand/or characteristic of each of one or more nearby user devices.

Accelerometer 832 can be configured to detect a proper acceleration ofuser device 110. The acceleration may include multiple componentsassociated with various axes and/or a total acceleration. Gyroscope 834can be configured to detect one or more orientations (e.g., viadetection of angular velocity) of user device 110. Gyroscope 834 caninclude, for example, one or more spinning wheels or discs, single- ormulti-axis (e.g., three-axis) MEMS-based gyroscopes.

Light sensor 836 can include, for example, a photosensor, such asphotodiode, active-pixel sensor, LED, photoresistor, or other componentconfigured to detect a presence, intensity and/or type of light. In someinstances, the one or more sensors and detection engines can include amotion detector, which can be configured to detect motion. Such motiondetection can include processing data from one or more light sensors(e.g., and performing a temporal and/or differential analysis).

Location engine 838 can be configured to detect (e.g., estimate) alocation of user device 110. For example, location engine 838 can beconfigured to process signals (e.g., a wireless signal, GPS satellitesignal, cell-tower signal, iBeacon, or base-station signal) received atone or more receivers (e.g., a wireless-signal receiver and/or GPSreceiver) from a source (e.g., a GPS satellite, cellular tower or basestation, or WiFi access point) at a defined or identifiable location. Insome instances, location engine 838 can process signals from multiplesources and can estimate a location of user device 110 using atriangulation technique. In some instances, location engine 838 canprocess a single signal and estimate its location as being the same as alocation of a source of the signal.

User device 110 can include a flash 842 and flash controller 846. Flash842 can include a light source, such as (for example), an LED,electronic flash or high-speed flash. Flash controller 846 can beconfigured to control when flash 842 emits light. In some instances, thedetermination includes identifying an ambient light level (e.g., viadata received from light sensor 836) and determining that flash 842 isto emit light in response to a picture- or movie-initiating input whenthe light level is below a defined threshold (e.g., when a setting is inan auto-flash mode). In some additional or alternative instances, thedetermination includes determining that flash 846 is, or is not, to emitlight in accordance with a flash on/off setting. When it is determinedthat flash 846 is to emit light, flash controller 846 can be configuredto control a timing of the light so as to coincide, for example, with atime (or right before) at which a picture or video is taken.

User device 110 can also include an LED 840 and LED controller 844. LEDcontroller 844 can be configured to control when LED 840 emits light.The light emission may be indicative of an event, such as whether amessage has been received, a request has been processed, an initialaccess time has passed, etc.

Flash controller 846 can control whether flash 846 emits light viacontrolling a circuit so as to complete a circuit between a power sourceand flash 846 when flash 842 is to emit light. In some instances, flashcontroller 846 is wired to a shutter mechanism so as to synchronizelight emission and collection of image or video data.

User device 110 can be configured to transmit and/or receive signalsfrom other devices or systems (e.g., over one or more networks, such asnetwork(s) 170). These signals can include wireless signals, andaccordingly user device 110 can include one or more wireless modules 850configured to appropriately facilitate transmission or receipt ofwireless signals of a particular type. Wireless modules 850 can includea Wi-Fi module 852, Bluetooth module 854, near-field communication (NFC)module 856 and/or cellular module 856. Each module can, for example,generate a signal (e.g., which may include transforming a signalgenerated by another component of user device 110 to conform to aparticular protocol and/or to process a signal (e.g., which may includetransforming a signal received from another device to conform with aprotocol used by another component of user device 110).

Wi-Fi module 854 can be configured to generate and/or process radiosignals with a frequency between 2.4 gigahertz and 5 gigahertz. Wi-Fimodule 854 can include a wireless network interface card that includescircuitry to facilitate communicating using a particular standard (e.g.,physical and/or link layer standard).

Bluetooth module 854 can be configured to generate and/or process radiosignals with a frequency between 2.4 gigahertz and 2.485 gigahertz. Insome instances, bluetooth module 854 can be configured to generateand/or process Bluetooth low-energy (BLE or BTLE) signals with afrequency between 2.4 gigahertz and 2.485 gigahertz.

NFC module 856 can be configured to generate and/or process radiosignals with a frequency of 13.56 megahertz. NFC module 856 can includean inductor and/or can interact with one or more loop antenna.

Cellular module 858 can be configured to generate and/or processcellular signals at ultra-high frequencies (e.g., between 698 and 2690megahertz). For example, cellular module 858 can be configured togenerate uplink signals and/or to process received downlink signals.

The signals generated by wireless modules 850 can be transmitted to oneor more other devices (or broadcast) by one or more antennas 859. Thesignals processed by wireless modules 850 can include those received byone or more antennas 859. One or more antennas 859 can include, forexample, a monopole antenna, helical antenna, intenna, Planar Inverted-FAntenna (PIFA), modified PIFA, and/or one or more loop antennae.

User device 110 can include various input and output components. Anoutput component can be configured to present output. For example, aspeaker 862 can be configured to present an audio output by convertingan electrical signal into an audio signal. An audio engine 864 caneffect particular audio characteristics, such as a volume,event-to-audio-signal mapping and/or whether an audio signal is to beavoided due to a silencing mode (e.g., a vibrate or do-not-disturb modeset at the device).

Further, a display 866 can be configured to present a visual output byconverting an electrical signal into a light signal. Display 866 mayinclude multiple pixels, each of which may be individually controllable,such that an intensity and/or color of each pixel can be independentlycontrolled. Display 866 can include, for example, an LED- or LCD-baseddisplay.

A graphics engine 868 can determine a mapping of electronic image datato pixel variables on a screen of user device 110. It can further adjustlighting, texture and color characteristics in accordance with, forexample, user settings.

In some instances, display 866 is a touchscreen display (e.g., aresistive or capacitive touchscreen) and is thus both an input and anoutput component. A screen controller 870 can be configured to detectwhether, where and/or how (e.g., a force of) a user touched display 866.The determination may be made based on an analysis of capacitive orresistive data.

An input component can be configured to receive input from a user thatcan be translated into data. For example, as illustrated in FIG. 8, userdevice 110 can include a microphone 872 that can capture audio data andtransform the audio signals into electrical signals. An audio capturemodule 874 can determine, for example, when an audio signal is to becollected and/or any filter, equalization, noise gate, compressionand/or clipper that is to be applied to the signal.

User device 110 can further include one or more cameras 876, 880, eachof which can be configured to capture visual data (e.g., at a given timeor across an extended time period) and convert the visual data intoelectrical data (e.g., electronic image or video data). In someinstances, user device 110 includes multiple cameras, at least two ofwhich are directed in different and/or substantially oppositedirections. For example, user device 110 can include a rear-facingcamera 876 and a front-facing camera 880.

A camera capture module 878 can control, for example, when a visualstimulus is to be collected (e.g., by controlling a shutter), a durationfor which a visual stimulus is to be collected (e.g., a time that ashutter is to remain open for a picture taking, which may depend on asetting or ambient light levels; and/or a time that a shutter is toremain open for a video taking, which may depend on inputs), a zoom, afocus setting, and so on. When user device 110 includes multiplecameras, camera capture module 878 may further determine which camera(s)is to collect image data (e.g., based on a setting).

FIG. 9 illustrates sample components of an embodiment of site system180, including connections to NAS 750 and access management system 185.Embodiments of site controller 712 use network manager 920 to connectvia access points 720 (using e.g., WiFi 952, Bluetooth 953, NFC 956,Ethernet 958, and/or other network connections) to other networkcomponents, such as site network 716 and mobile devices 724. In someembodiments, site system 280 uses site controller 712 to control aspectsof an event venue. A broad variety of venue features can be controlledby different embodiments, including: permanent lights (e.g., withlighting controller 922), stage lights (e.g., with presentmentcontroller 924), stage display screens (e.g., with stage display(s)controller 912), permanent display screens (e.g., with permanentdisplay(s) controller 914), and the venue sound system (e.g., with thesound system controller 916).

A more detailed view of NAS 750 is shown, including NAS controller 930coupled to user video storage 932, captured video storage 934,preference storage 936, and 3D model 938. Captured video storage 934 canreceive, store and provide user videos received from mobile devices 724.In some embodiments, site controller 712 triggers the automatic captureof images, audio and video from mobile devices 724, such triggeringbeing synchronized to activities in an event. Images captured by thisand similar embodiments can be stored on both the capturing mobiledevice 724 and user video storage 932. In an embodiment, site controller712 can coordinate the transfer of information from mobile devices toNAS 750 (e.g., captured media) with activities taking place during theevent. When interacting with mobile devices 724, some embodiments ofsite controller 712 can provide end user interfaces 926 to enabledifferent types of interaction. For example, as a part of engagementactivities, site controller may offer quizzes and other content to thedevices. Additionally, with respect to location determinations discussedherein, site controller can supplement determined estimates withvoluntarily provided information using end user interfaces 926, storedin a storage that is not shown.

In some embodiments, to guide the performance of different activities,site controller 712 and/or other components may use executable code 938tangibly stored in code storage 939. In some embodiments, siteinformation storage 937 can provide information about the site, e.g.,events, seat maps, attendee information, geographic location ofdestinations (e.g., concessions, bathrooms, exits, etc.), as well as 3Dmodels of site features and structure.

FIG. 10 is a block diagram illustrating another embodiment of resourceaccess-facilitating interaction system 1000. Resourceaccess-facilitating interaction system 1000 can include user device1002, resource allocation system 1004, resource access system 1006, andresource data store 1010. In some cases, resource access-facilitatinginteraction system 1000 can also include communication server 1016 anduser device 1012. Resource access-facilitating interaction system 1000can facilitate the authentication of requests to access one or moreaccess rights stored in resource data store 1010. Authentication ofrequests to access resource data store 1010 can authenticate whether thedevice requesting access to resource data store 1010 is authorized. Forexample, the authentication of requests to access resource data store1010 can be dynamic and scalable, in that the type and number ofchallenge workflows executed as part of the authentication process canchange based on one or more aspects, attributes, or characteristics ofthe device requesting the access.

In some cases, the one or more access rights stored in resource datastore 1010 may be assigned to a particular user device. For example, theone or more access rights (e.g., electronic tickets) may grant theparticular user device access to a resource (e.g., an event) during adefined time period. Further, access to the one or more access rightsstored in resource data store 1010 can enable a user to requestreassignment (e.g., transfer, sell, etc.) of the one or more accessrights to another user, perform a printing operation associated with theone or more access rights (e.g., print an electronic ticket), orotherwise interact with the one or more access rights.

Resource allocation system 1004 can include one or more servers and oneor more networks to facilitate the assignment of access rights. Forexample, resource allocation system 1004 can facilitate assignment ofaccess rights to user devices. Resource allocation system 1004 can beconfigured to manage a dynamic set of access rights to one or moreresources. More specifically, resource allocation system 1004 can trackwhich access rights or resources are to be made available to users,specifications of the access rights and times at which the access rightsor resources will be available. Resource allocation system 1004 can alsoallocate access rights for resources and facilitate transmissions ofnotifications of the available rights to a set of user devices. Forexample, resource allocation system 1004 can alert users of theavailability via a website, app page or email. As another example,resource allocation system 1004 can transmit data about access rightsand resources to one or more intermediate systems, which can facilitateassignment of access rights (e.g., processing of requests for suchrights).

Resource access system 1006 can include one or more servers and one ormore networks to facilitate the authentication of the user device thatrequests access to resource data store 1010. In some cases, resourceaccess system 1006 can facilitate the reassignment of an access rightfrom one user to another. In some cases, resource access system 1006 canenable a user to perform a print operation for printing a physicalrepresentation of an access right.

In some examples, resource access system 1006 can include anauthentication system 1008. Authentication system 1008 can include oneor more servers and one or more networks configured to authenticate auser device that requests access to one or more access rights stored inresource data store 1010 before completing or responding to the request.For example, authentication system 1008 can authenticate the user deviceby verifying that the request is transmitted from an approved userdevice. Authentication system 1008 can prevent unauthorized user devices(e.g., hackers or bot users) from interacting with the one or moreaccess rights assigned to a user by requiring authentication prior togranting access to the one or more access rights.

In some cases, authentication system 1008 can authenticate that anauthorized user device is requesting to access one or more access rightsstored in a data store. Authentication system 1008 can implementauthentication using one or more challenge workflows. For example, achallenge workflow (e.g., a factor) can include data representing aprocess of a challenge, an authentication test, a prompt or request forspecific information or evidence of possession of a particular devicethat is presented to the user (or identified based on interactions withthe user), and so on. As a further example, a challenge workflow caninclude a request to enter a code transmitted to a user's mobile device.When the authentication system 1008 receives the correct code from themobile device, the authentication test associated with the challengeworkflow can be satisfied. As another example, an additional challengeworkflow can include a request to scan a user's fingerprint. Uponreceiving the correct fingerprint data of the user, the authenticationtest associated with the challenge workflow is satisfied. When all ofthe factors presented to the user (or identified from interacting withthe user) are satisfied, then authentication system 1008 can grant theuser device's request to access one or more access rights associatedwith the user. According to aspects of the present disclosure, thenumber and type of challenge workflows that are executed as part of theauthentication process is dynamic and scalable based on one or morecharacteristics of the user device requesting access.

In some examples, authentication system 1008 can scale a number and typeof challenge workflows included in the authentication. For example,authentication system 1008 can identify a type of device used totransmit a request to access one or more access rights, and candetermine the number of challenge workflows to include in theauthentication process. Authentication system 1008 can also determinethe type of challenge workflow used in the authentication process basedon the type of device used to transmit the request. For example,authentication system 1008 can identify that the request to access oneor more access rights stored in a resource data store was transmittedfrom a mobile device. Authentication system 1008 can determine that theauthentication process presented to the user operating the mobile device(e.g., smartphone) includes two challenges before granting the user'srequest. A first challenge can include a request to enter a password orlogin credential on the mobile device. A second challenge can include arequest to enter a code which was transmitted to the mobile device as atext message. When the user successfully passes the two challenges,authentication system 1008 can grant the user device access to the datastore that stores the one or more access rights associated with the userdevice.

As another example, if the request is transmitted from a server farm(e.g., a hacker or a bot script), authentication system 1008 canidentify that the request is transmitted from a server farm anddynamically determine that the authentication process should bedifficult because the request may originate from an unauthorized user.As only a non-limiting example, authentication system 1008 can determinethat the authentication process will include seven challenges. A firstchallenge can include a request to enter a password or login credential.A second challenge can include a request to enter a code which wastransmitted to the user device using a text message communicationchannel. A third challenge can include a request to scan a fingerprint.A fourth challenge can include a request to take a picture of a face tocompare against the user's previously-stored photograph. A fifthchallenge can include a request to interact with other authorizeddevices (e.g., a smartwatch wirelessly connected to the user device). Asixth challenge can include a request to call a phone number and speakwith an agent to verify the requestor's identify. A seventh challengecan include a request to confirm additional details associated with theuser. The seven challenges are designed to make it difficult for theunauthorized user to successfully pass all of the challenges.

In some cases, authentication system 1008 can determine the type ofdevice that originally transmits the request based on variousinformation included in the request or information associated with therequest. For example, to submit the request to reassign an access rightstored in a resource data store, the user may execute a nativeapplication on a mobile device and log in. Certain information can bedetermined during the log in process, for example, a type of device usedto log into the account (e.g., a smartphone or desktop). Authenticationsystem 1008 can also identify an IP address associated with thetransmission of the request to determine a location (e.g., requesttransmitted from the United States or from another country) of theorigination of the request.

In some examples, authentication system 1008 can determine a technologyfootprint of a user. A technology footprint can identify the devices(e.g., user device 1002 and user device 1012, which is wirelesslyconnected to user device 1002 via communication link 1014) associatedwith the user. For example, a technology footprint can identify that auser is associated with a laptop, a smartphone, and a smartwatch.Another technology footprint can identify that a user is associated witha desktop. For example, the devices associated with the user can beidentified by the user by entering information of each device into theuser's profile. As another example, the devices associated with the usercan be automatically identified based on interactions with the user(e.g., if the user has downloaded an app on the user's smartwatch orpaired a smartwatch with a smartphone). Authentication system 1008 candetermine all possible challenge workflows (e.g., a challenge workflowcan be a process or workflow to facilitate the challenge) that areassociated with the user. One or more challenge workflows can beselected from all possible challenge workflows determined for aparticular user. The possible challenge workflows can be different forvarious users so that all of the possible challenge workflows isspecifically determined for each user.

Resource data store 1010 can include servers, data structures, orstorage devices that store resource data. Resource data can include datarepresenting resources or access rights to resources. For example,resource data can identify an access right assigned to a user for aparticular resource. Resource data store 1010 can be connected to bothresource allocation system 1004 and resource access system 1006.

Communication server 1016 can include a server configured to facilitatecommunications between user device 1002 and resource access system 1006.For example, communication server 1016 can be an email server. The emailserver can email the user device with a link or a code to be accessed aspart of a challenge workflow. As another example, communication server1016 can include a short message service (SMS) server that can transmita text message to a mobile device associated with the user. The textmessage can include a link or a code to be accessed by the user as partof a challenge workflow. It will be appreciated that communicationserver 1016 can include other servers or systems that can facilitatecommunication between user device 1002 and authentication system 1008.

FIG. 11 is a block diagram illustrating another embodiment of a resourceaccess-facilitating interaction system 1000. For example, FIG. 11illustrates a block diagram of authentication system 1008 in the contextof resource access-facilitating interaction system 1000. Authenticationsystem 1008 can include interface engine 1102, controller system 1104,challenge workflow scaling engine 1106, authentication engine 1108, andchallenge workflow data store 1110.

Interface engine 1102 may be stored in a memory and executable by aprocessor to receive from user device 1002 a request to access one ormore access rights. Interface engine 1102 can receive the request andforward all or part of the request to an specific destination. Forexample, interface engine 1102 can forward all or part of the request tocontroller system 1104. Further, interface engine 1102 can convert ortransform the request into a format readable by controller system 1104.

Controller system 1104 can include one or more processors configured tocontrol authentication system 1008. For example, controller system 1104can receive all or part of the request from interface engine 1102.Controller system 1104 can process the request by transmitting all, aportion of, or a transformation of the request to challenge workflowscaling engine 1106. Controller system 1104 can also track the receivedrequest by storing the request in a data structure associated with theuser transmitting the request or storing an identifier associated withthe request.

Challenge workflow scaling engine 1106 may be stored in a memory andexecutable by a processor to determine a number and type of challengeworkflows to include in the authentication process. For example,challenge workflow scaling engine 1106 can process the request orportion of the request received from controller system 1104. Challengeworkflow scaling engine 1106 can determine which challenge workflows toinclude in the authentication process with the user. For example,challenge workflow scaling engine 1106 can determine whether the user ismore likely to be an authorized user than an unauthorized user based onseveral factors. If challenge workflow scaling engine 1106 determinesthat the user is more likely to be an authorized user, then challengeworkflow scaling engine 1106 selects a set of challenge workflows thatwould cause less friction for the user. For example, the fact that theuser is logged into a particular application can be one challengeworkflow. Another challenge workflow can be a request for the user toselect a link from an email transmitted to the user's email address.This challenge workflow can request that the user select the link on thesame user device which transmitted the request. However, if thechallenge workflow scaling engine 1106 determines that the usertransmitting the request is likely to be a bot user, then challengeworkflow scaling engine 1106 can select a set of challenge workflowsthat makes it more difficult for the user to successfully pass all ofthe challenge workflows. For example, challenge workflow scaling engine1106 can select many challenge workflows (e.g., 7 challenge workflows),including, for example, challenge workflows that verify the identity ofthe requestor is the same as the identity of the user associated withthe user profile through which the requestor is transmitting therequest. For example, challenge workflow scaling engine 1106 can selecta challenge workflow that prompts the user to take a picture of himselfor herself so that challenge workflow scaling engine 1106 can match thatagainst a previously-stored picture. Doing so can prevent unauthorizedusers from unauthorized access to the one or more access rights storedin a resource data store. Challenge workflow scaling engine 1106 selectsthe set of challenge workflows from a plurality of challenges workflowsspecifically determined based on information about the user or user'sprofile.

Challenge workflow scaling engine 1106 transmits identifiers of theselected challenge workflows to controller system 1104. Controllersystem 1104 can facilitate the challenge workflow so that the challengecan be presented to the user. For example, if a challenge workflow is arequest for a user to select a link in an email transmitted to the userdevice, controller system 1104 can instruct communication server 1016 totransmit an email to the user's email address. Controller system 1104can also transmit a message to the user device indicating that the usershould open the email and select the link using the user device.

Challenge workflow data store 1110 can include one or more servers andnetworks configured to store the database of challenge workflows.Challenge workflow data store 1110 can also store information associatedwith challenge workflows, for example, which challenge workflowstypically are included together in an authentication process, whichchallenge workflows typically make the user fail the challenge, whichchallenge workflows have been satisfied by known hackers/bad actors,etc.

Responses to the challenge workflows can be received from user device1002 at interface engine 1102. The responses can be transmitted tocontroller system 1104 to be forwarded to authentication engine 1108.Authentication engine 1108 may be stored in a memory and executable by aprocessor to authenticate the received responses. In some cases,authentication engine 1108 can determine whether the received responsesare correct. For example, a challenge workflow may include a requestthat the user to select a link in an email received from communicationserver 1016. Once selected, the link can obtain a device identification(ID) of the user device on which the link was selected. The device IDcan be transmitted from the user device (e.g., user device 1002) toauthentication engine 1108 via interface engine 1102 and controllersystem 1104. In this example, authentication engine 1108 can compare thereceived device ID with a stored device ID associated with the user'sprofile. If there is a match, then authentication engine 1108 candetermine that the user has successfully passed the challenge workflow.If the received device ID does not match a stored device ID associatedwith the user's profile, then authentication engine 1108 can determinethat the user has failed the challenge workflow. It will be appreciatedthat the stored device ID may be received along with the request whenthe user executes the application that allows the user to transmit therequest.

When authentication engine 1108 determines that the challenge workflowshave been successfully passed by the user, authentication engine 1108can transmit a signal to resource data store 1010. The signaltransmitted by authentication engine 1108 can facilitate theestablishment of connection 1112 between user device 1002 and resourcedata store 1010. In some cases, authentication engine 1108 can grant theuser's request to access one or more access rights stored in a datastore when all or a particular set of challenge workflows have beensatisfied by the user. The establishment of connection 1112 can indicatethe grant of the user's request to access one or more access rightsstored in a data store.

FIG. 12 is a swim lane diagram illustrating a multi-factorauthentication process 1200, according to an embodiment. Multi-factorauthentication process 1200 can be performed at least at a communicationserver (e.g., communication server 1016), a user device (e.g., userdevice 1002), an authentication system (e.g., authentication system(1008), and a resource data store (e.g., resource data store 1010).

At block 1202, the user device transmits a request to access one or moreaccess rights stored in a data store. The user may first execute anapplication on the user device (e.g., a mobile device). The user can loginto the application with the user's log-in credentials. Aftersuccessfully logging into the application, the user can view accessrights that are assigned to the user. In some cases, the request may betransmitted along with other information. For example, the request maybe transmitted to the authentication server along with a deviceidentifier (ID) of the user device on which the request was transmitted.In this example, if the user transmitted the request using his or hersmartphone, then the device ID transmitted to the authentication systemwould be that of the smartphone and would be included in the request(e.g., within a data field of the request).

At block 1204, the authentication system can determine a number and typeof challenge workflows to include in the authentication process with theuser. In some cases, the authentication system can determine a pluralityof challenge workflows that are specifically designed for a particularuser based on the user's technology footprint (e.g., an overview of allof the authorized devices used by the user). In these cases, theauthentication system can select a set of challenge workflows from theplurality of challenge workflows designed for the user. Theauthentication system can select the set of challenge workflows based oninformation included in the request. For example, if the requestindicates that the requestor (e.g., the user transmitting the request toaccess one or more access rights) is requesting to reassign an accessright from the requestor to another user (e.g., an expensive ticket toan event with limited space), the authentication may select a set ofchallenge workflows that ensure that the requestor is actually the userassociated with the user profile. In this example, the authenticationsystem may select three challenge workflows, including a request for afingerprint scan to be compared against fingerprint data stored in theuser's profile. In another example, if the request indicates that a userwho regularly requests reassignment of access rights to other users isrequesting to reassign an access right, the authentication system mayselect a set of challenge workflows that easily allow access right to bereassigned. In this example, the authentication system may select twosimple challenge workflows for the user.

Once the authentication system has determined the number N of challengeworkflows and the type of challenge workflows, the authentication systemcan transmit an authentication instruction message to the user, at block1206. In some cases, the authentication system can transmit a message tothe user device indicating how to respond to the challenge workflows.For example, the authentication system can transmit a message to theuser device (e.g., a smartphone) instructing the user to execute anemail application and open a particular email received from theauthentication system (via the communication server). In some cases, themessage may be a text message received at the user device. In othercases, the message may be a push notification that is presented on theuser device through the application. At block 1208, the user device mayreceive and display the message.

At block 1210, the authentication system may transmit a communicationtrigger to the communication server. Block 1210 is performed when one ofthe challenge workflows is a request for a user to click a link in anemail or text message received at the user device. The communicationtrigger includes a signal that triggers the communication server to sendan email or text message to the user device. The communication triggermay include identification information of the user and user device. Forexample, the communication trigger may include a message and emailaddress, which the communication server can use to transmit an emailmessage to the user's email address. In some cases, the communicationtrigger may instruct the communication server to send an email includinga selectable element (e.g., a hyperlink). In these cases, when thehyperlink is ultimately selected by the user, the device ID of thedevice on which the hyperlink was selected is transmitted back to theauthentication server.

At block 1212, the communication server receives the communicationtrigger. In some cases, the communication server can be an email server.In other cases, the communication server may be an SMS server that canfacilitate transmission of text messages. When the communication triggeris received at the communication server, the communication serverprepares the communication (e.g., email or text message) to betransmitted to the user. If the communication server is an email server,the communication server may transmit an email to a user's personalemail address. If the communication server is an SMS server, thecommunication server may transmit a text message to the user device.

At block 1214, the communication server may transmit the message (viaemail or text message) to the user. The message can include aconfirmation element (e.g., a hyperlink) which can be selected by theuser. Upon selecting the confirmation element, the device ID of thedevice on which the confirmation element was selected is determined.

At block 1216, the user receives the confirmation element. For example,the confirmation element can be included in an email and transmitted tothe user's email address. The email can be opened by executing an emailapplication on the user device and opening the email transmitted by thecommunication server. In some cases, the confirmation element can be atext message. In these cases, the text message can be received at theuser device.

At block 1218, the user device can receive an input corresponding to aselection of the confirmation element (e.g., the hyperlink). Forexample, the user can touch a touchscreen of the user device to selectthe confirmation element. In other examples, the user can click on theconfirmation element using a stylus pen our a mouse icon.

At block 1220, the selection of the link initiates an extraction of thedevice ID of the device on which the link was selected. In some cases,the link can be a deep link that directs the user back to theapplication and indicates to the user that the request has beencompleted. In other cases, the link can initiate or trigger a code thataccesses the identification information of the device on which the linkwas selected. At block 1222, the obtained device ID is transmitted tothe authentication system. At block 1224, the obtained device ID isreceived at the authentication system. The device ID can be stored,processed, and analyzed.

At block 1226, the authentication system compares the obtained device IDwith the device ID that was previously received by the authenticationsystem (e.g., at block 1202). For example, the authentication system canreceive the device ID of the device that originated the request. In thisexample, the request can originate when the user device receives inputcorresponding to a selection (e.g., by a user) of a button or linkassociated with requesting access to one or more access rights. Therequest can be transmitted with the device ID of the device transmittingthe request (e.g., the user's smartphone). In some cases, the device IDcan be stored in association with the user's profile. In these cases,when the user initially registers with the resource access system, theuser can input the device ID of the user's smartphone, for example. Thedevice ID can also be automatically extracted at the time ofregistration. The second device ID received at the authentication systemis the ID of the device on which the link was selected. Theauthentication system compares these two links and determines whether ornot a match exists. When a match exists, the authentication system hasauthenticated the user device because the authentication system hasreceived proof (e.g., by way of receiving the device ID after the userselects or clicks the link) that the user is operating the user device.Further, when the device ID associated with the initial request toaccess one or more access rights stored in a data store matches thedevice ID of the device on which the link was selected, then themulti-factor authentication process 1200 proceeds block 1228 where therequest is granted.

At block 1230, the user is granted access to the resource data store.For example, a link between the authorized user device and the resourcedata store can be established. In some cases, the user device can gainaccess to one or more access rights stored in a data store withouthaving to be re-authorized. In other cases, the user can periodically orrandomly be required to re-authorize the user device by repeating thesteps in process 1200 again.

At block 1232, the user device can interact with the resource data storebecause a link has been established between the user device and theresource data store. The resource data store can allow access toresource data because the user device is authorized, and theauthentication system has sufficiently proven that the user who isrequesting to access the data store is authorized to do so.

Multi-factor authentication process 1200 can prevent a hacker fromaccessing the one or more access rights stored in the data store if thehacker gained unauthorized access to a user's profile, the hacker willnot likely also have overtaken the user's personal email address or theuser's personal mobile device. The authentication can prevent theseunauthorized users from interacting with the user's access rights byrequiring the requestor to select a link from a personal email addressusing the user's mobile device, for example.

FIG. 13 is a swim lane diagram illustrating multi-factor authenticationprocess 1300 according to another embodiment. Multi-factorauthentication process 1300 can be performed at least at a communicationserver (e.g., communication server 1016), a user device (e.g., userdevice 1002), an authentication system (e.g., authentication system(1008), and a resource data store (e.g., resource data store 1010).Multi-factor authentication process 1300 makes use of the fact that manyusers have more than one device (e.g., a smartphone, a smartwatch, atablet, etc.). Multi-factor authentication process 1300 requires theuser to place a secondary device (e.g., user device #2) in a vicinitynear a primary device (user device #1, e.g., a smartphone) so that aparticular sound emitted from user device #2 can be received andverified by user device #1. Multi-factor authentication process 1300ensures that the individual requesting to access the one or more accessrights stored in the data store is in possession of the user device andany other authorized or approved devices. For example, the secondarydevices associated with a user can be inputted into a user profile bythe user so that the authentication system knows an identify of anysecondary devices.

At block 1302, user device #1 transmits a request to access one or moreaccess rights stored in a data store. For example, user device #1 maytransmit the request in order to request reassignment of the one or moreaccess rights to another user device associated with another user. Theuser may first execute an application on the user's user device (e.g., asmartphone). The user can log into the application with the user'slog-in credentials. After successfully logging into the application, theuser can view the access rights that are assigned to the user. In somecases, the request may be transmitted along with other information. Forexample, the request may be transmitted to the authentication serveralong with a device identifier (ID) of the user device on which therequest was transmitted. In this example, if the user transmitted therequest using his or her smartphone, then the device ID transmitted tothe authentication system would be that of the smartphone and would beincluded in the request.

At block 1304, the authentication system can determine a number and typeof challenge workflows to include in the authentication process with theuser. In some cases, the authentication system can determine a pluralityof challenge workflows that are specifically designed for a particularuser based on the user's technology footprint (e.g., an overview of allof the authorized devices used by the user). In these cases, theauthentication system can select a set of challenge workflows from theplurality of challenge workflows designed for the user. Theauthentication system can select the set of challenge workflows based oninformation included in the request. For example, if the requestindicates that the requestor (e.g., the individual initiating thetransmission of the request) is requesting to reassign particular accessrights (e.g., high-value electronic tickets to an event with limitedspace), the authentication may select a set of challenge workflows thatensure that the requestor is actually the user associated with the userprofile. In this example, the authentication system may select threechallenge workflows, including a request for a fingerprint scan to becompared against fingerprint data stored in the user's profile. Inanother example, if the request indicates that a user who regularlyrequests reassignment is requesting reassignment of an access right, theauthentication system may select a set of challenge workflows thateasily allow the user to reassign the access right to another user. Inthis example, the authentication system may select two simple challengeworkflows for the user.

Once the authentication system has determined the number N of challengeworkflows and the type of challenge workflows, the authentication systemcan transmit an authentication instruction message to the user, at block1306. In some cases, the authentication system can transmit a message tothe user device indicating how to respond to the challenge workflows.For example, the authentication system can transmit a message to theuser device (e.g., a smartphone) instructing the user to position anysecondary devices (e.g., smartwatches) into a vicinity of user device#1. At block 1308, the user device may receive and display theauthentication instruction message.

At block 1310, user device #1 can transmit an output instruction to userdevice #2. The output instruction can instruct user device #2 to outputa sound or vibration, which can be heard at user device #1. The outputinstruction can be transmitted to user device #2 over a short-rangecommunication link (e.g., a Bluetooth link).

At block 1312, user device #2 can receive the output instruction fromuser device #1. At block 1314, user device #2 can output a sound orvibration according to the output instruction. In some cases, the outputcan be a sound outputted by user device #2. In other cases, the outputcan be a pattern of vibration outputted by user device #2.

At block 1316, user device #1 receives the output sound of user device#2. For example, a microphone of user device #1 can receive the outputsound or the sound from the vibration of user device #2. Theauthentication system can verify that user device #1 is near anauthorized device (e.g., user device #2) because user device #1 pickedup the sounds outputted by user device #2.

At block 1318, user device #1 can verify the received output sound.Verifying the output sound can include comparing the output instructionwith the received sound. For example, the output instruction mayindicate the sound that is outputted by user device #2. This allows userdevice #1 to verify that the sound it received from user device #2 isaccurate.

At block 1320, the obtained device ID of user device #1 can be extractedand transmitted to the authentication system, along with a confirmationmessage. At block 1322, the obtained device ID is received at theauthentication system. The device ID can be stored, processed, andanalyzed.

At block 1324, the authentication system compares the obtained device IDwith the device ID that was previously received by the authenticationsystem (e.g., at block 1302). For example, the authentication system canreceive the device ID of the device that originated the request. requestcan be transmitted with the device ID of the device transmitting therequest (e.g., the user's smartphone). In some cases, the device ID canbe stored in association with the user's profile. In these cases, whenthe user initially registers with the resource access system, the usercan input the device ID of the user's smartphone, for example. Thedevice ID can also be automatically extracted at the time ofregistration. The second device ID received at the authentication systemis the ID of the device on which the link was selected. Theauthentication system compares these two links and determines whether ornot a match exists. When a match exists, the authentication system hasauthenticated the user device because the authentication system hasreceived proof (e.g., by way of receiving the device ID after the userselects or clicks the link) that the user is operating the user device.Further, when the device ID associated with the initial request matchesthe device ID of the device on which the link was selected, then themulti-factor authentication process 1300 proceeds block 1326 where theuser's request to access one or more access rights stored in the datastore is granted.

At block 1328, the user is granted access to the resource data store.For example, a link between the authorized user device and the resourcedata store can be established. In some cases, the user can freely accessone or more access rights stored in a data store without having to bere-authorized. In other cases, the user can periodically or randomly berequired to re-authorize the user device by repeating the steps inprocess 1300 again.

At block 1330, the user device can interact with the resource data storebecause a link has been established between the user device and theresource data store. The resource data store can allow access toresource data because the user device is authorized, and theauthentication system has sufficiently proven that the user who isrequesting to access one or more access rights stored in a data store isauthorized to access and interact (e.g., request reassignment of the oneor more access rights to another user, perform a print operationcorresponding to the access right, and so on) with the one or moreaccess rights.

Multi-factor authentication process 1300 can prevent a hacker fromimproperly gaining access to the one or more access rights associatedwith a user's profile, and the hacker will not likely also haveovertaken other user devices (e.g., smartwatches, tablets, etc.)operated by the user. Embodiments of the present disclosure can preventthese hackers from interacting with the access rights associated withusers by requiring the requestor (e.g., the originator of the request)to receive a signal from a secondary device (e.g., a smartwatch)associated and approved by the user who is associated with the userprofile.

It will be appreciated that if User Device #2 detects a particularsignal (e.g., a predefined audio or video signal), User Device #2 cantransmit a communication message to User Device #1. For example, whenthe communication message is received at User Device #1, thecommunication message (e.g., via a carrier signal) can cause or triggerone or more processes or events to be initiated at User Device #1.Examples of processes or events can include a notification of unassignedaccess rights for a resource, a notification to request reassignment ofan access right assigned to the user associated with User Device #1, aninitiation of executing a native application on User Device #1 (e.g., ifUser Device #1 is a smartphone), and other suitable processes or events.It will also be appreciated that User Device #2 can be used toauthenticate the user operating User Device #1 (e.g., instead of usingauthentication processes that prompt inputs from the user operating UserDevice #1). For instance, User Device #2 can detect an ambient sound orlight, and use the detected ambient sound or light to determine which ofone or more protocols to use for communicating with User Device #1 forauthentication purposes. For example, if the ambient sound is detectedas being noisy, User Device #2 can determine that a protocol of usingtapping or vibrating of the devices is to be used over protocols thatuse sound inputs. In this example, authentication of the user can beperformed by vibrating User Device #2 in a particular pattern, andrequesting that the user tap on User Device #1 using the vibrationpattern.

FIG. 14 is a block diagram of challenge workflow scaling engine 1106according to an embodiment. In some cases, a plurality of challengeworkflows can be specifically tailored to a user device. For example, auser device (e.g., an IPHONE) can be associated with a set of challengeworkflows that is specific to the user device. Challenge workflowscaling engine 1106 can select a subset of challenge workflows from theset of all available challenge workflows based on information includedin the request (e.g., the request to access the resource data store thatis received from the user device). For example, the request can includea device identifier that characterizes an attribute of the user devicethat transmitted the request. In some instances, the attribute canrepresent the type of computing device of the user device. Examples oftypes of computing devices include a mobile device (e.g., a smartphone),a server, a desktop, a tablet device, an electronic kiosk, and othersuitable devices. In some examples, the device identifier maycharacterize other attributes of the user device, including, forexample, the operating system operating on the user device, the networkspeed at the user device, whether or not a particular native applicationis executing on the user device, and so on. In some examples, the deviceidentifier can be extracted (e.g., by an authentication system) from therequest (or communication). For example, the device identifier can beincluded in a data field of the request, and that data field can beextracted to identify the device identifier.

The selection of a subset of challenge workflows can be considered ascaling of challenge workflows because, for example, challenge workflowscaling engine 1106 may select two challenge workflows for one deviceand five challenge workflows for another device. In some examples,challenge workflow scaling engine 1106 can calculate a score for each ofthe plurality of challenge workflows and filter the calculated scores sothat only a select few challenge workflows remain for execution. Theseselected challenge workflows can ultimately be used in theauthentication process with the user. In some instances, calculating thescore can be based on predefined rules. For example, a predefined rulecan include a process for calculating a high score for a user devicethat transmitted a request to access the resource data store via aparticular native application executing on the user device. In somecases, the defined rule can calculate a very low score when the requestis received from a server (e.g., from a bot or software program runningon a server). The predefined rules can be configured to generate higherscores for certain challenge workflows when the requests are receivedfrom mobile devices (e.g., smartphones or tablet devices which arecommonly associated with human users). Further, the predefined rules canbe configured to generate lower scores for certain challenge workflowswhen the requests are received from non-portable computing devices(e.g., desktop computer, server farms, etc., which are commonlyassociated with bot users). It will be appreciated that lower scores canbe calculated when requests are received from mobile devices and higherscores can be calculated when requests are received from non-portabledevices.

In some cases, the rules for calculating scores for challenge workflowscan be dynamically configured based on machine-learning techniques orbig data analytics. For example, a rule for calculating a score for achallenge flow can be high when the request (received from a userdevice) was received from an IP address associated with a particulargeographical region (e.g., a neighborhood or city). In this example, if,at any time, the authentication system determines that the IP address orthe geographical region is associated with a request received from a botuser, then the authentication system may dynamically reconfigure therule, such that the rule calculates a score for the challenge flow thatis low when the request is received from the IP address associated withthe particular geographical region.

Controller system 1104 can communicate with challenge workflow scalingengine 1106. For example, controller system 1104 can transmit request1402 to challenge workflow scaling engine 1106. The request 1402 can bea request to access one or more access rights stored in the resourcedata store. For example, the one or more access rights can be assignedto the user operating the user device. In some cases, request 1402 maybe a signal or communication that originates from the user device andmay be forwarded to challenge workflow scaling engine 1106 viacontroller system 1104.

Challenge workflow scaling engine 1106 can include buffer 1404, datastructure 1406 for the total challenge workflow set, filter 1408, datastructure 1410 for the selected challenge workflows to be used in theauthentication process, and challenge workflow encoder 1412. Dataelement 1405 can be stored in buffer 1404. Data element 1405 cancorrespond to all of, a portion of, or a transformation of the requestto transfer resources.

Data structure 1406 can store the total set of challenge workflows forthe user device associated with the request 1402. For example, datastructure 1406 can store challenge workflows 1 through N. Each of thechallenge workflows can include data identifying the workflow involvedin facilitating the challenge. For example, a challenge workflow thatrequires a user to enter a code received as a text message can includedata instructing the authentication system to generate the code andtransmit the code to the user device. As another example, the challengeworkflow can include data for executing the workflow for facilitatingthe challenges.

In some cases, challenge workflow scaling engine 1106 can calculate ascore for each challenge workflow based on data element 1405. Forexample, when data element 1405 includes certain information (e.g., anindication that the request originated from a smartphone), then certainchallenge workflows may correspond to higher scores (or lower scoresdepending on the embodiment). For example, when data element 1405includes a device identifier that the request originated from asmartphone, a challenge workflow that facilitates transmitting an emailincluding a link to the user's personal email address can correspond toa high score, whereas, a challenge workflow that requests a fingerprintscan can receive a low score. In some cases, challenge workflows havinghigh scores can correspond to candidates for the subset of challengeworkflows ultimately used in the authentication process. In other cases,challenge workflows having low scores can correspond to the candidatesfor the subset of challenge workflows.

As only a non-limiting example, in FIG. 14, the score for challengeworkflow 1 can be “89,” the score for challenge workflow 2 can be “52,”the score for challenge workflow 3 can be “73.” The scores are inputtedinto filter 1408. For example, filter 1408 can filter out (e.g., reject)challenge workflows having a score of “75” of less. In this example,challenge workflow 1 would pass through filter 1408 and challengeworkflow 2 would be rejected. Challenge workflow 3 can pass throughfilter 1408 or be rejected by filter 1408, depending on the embodiment.In some cases, filter 1408 can strictly filter out scores based on adefined threshold (e.g., “75” or less, as in the example above). Inthese cases, any score that does not reach the threshold of filter 1408is rejected. In other cases, filter 1408 can be less strict. Forexample, while filter 1408 is set at “75,” filter 1408 can still allowscores of 70 over more to pass through.

Data structure 1410 can store the challenge workflows that pass throughfilter 1408. In the example of FIG. 14, challenge workflows 1 and 3 passthrough filter 1408 and are stored in data structure 1410. Challengeworkflow scaling engine 1106 can use the challenge workflows included indata structure 1410 as the challenge workflows for the authenticationprocess. In some cases, a challenge workflow being stored in datastructure 1410 can correspond to a selection of the challenge workflowfor the authentication process.

Once the challenge workflows are selected (e.g., challenge workflows 1and 3) from the total set of challenge workflows (e.g., challengeworkflows 1 through N), challenge workflow encoder 1412 can encode theselected challenge workflows to be transmitted to controller system1104. For example, challenge workflow encoder 1412 can determineidentifiers of the selected challenge workflows. Challenge workflowencoder 1412 can transmit the identifiers of the selected workflows tocontroller system 1104. Controller system 1104 can facilitate executionof the selected challenge workflows.

It will be appreciated that any number of filters can be used as filter1408 (e.g., one-stage filters, two-stage filters, etc.). Further, itwill also be appreciated that low scores may correspond to candidatesfor selection of challenge workflows. It will also be appreciated thatchallenge workflow encoder 1412 may or may not be included in challengeworkflow scaling engine 1106.

FIG. 15 is a block diagram illustrating an example of determining auser's technology footprint for scaling challenge workflows according toan embodiment. Environment 1500 can include users 1506, 1512, and 1516.Users 1506, 1512, and 1516 can each be associated with a technologyfootprint. A technology footprint can identify devices that areassociated with a user. The devices may be devices that are known toauthentication system 1008. For example, when a user creates a profilewith authentication system 1008, the user can identify the devicesassociated with the user (e.g., smartphones, smartwatches, tablets,etc.).

User 1506 can be associated with laptop 1502-A, smartphone 1502-B, andsmartwatch 1502-C. For example, user 1506 can own laptop 1502-A,smartphone 1502-B, and smartwatch 1502-C. Further, each of laptop1502-A, smartphone 1502-B, and smartwatch 1502-C can be configured towirelessly communicate with wireless gateway 1504. Authentication system1008 can identify each device 1502-A, 1502-B, and 1502-C. User'stechnology footprint can correspond to devices 1502-A, 1502-B, and1502-C. Authentication system 1008 can compile a set of challengeworkflows that are specifically tailored for user 1506's technologyfootprint. For example, authentication system 1008 can determine thatuser 1506 is likely to be a human who is appropriately using services(e.g., not a bot user, bad actor, or hacker) because user has atechnology footprint similar to an average user. Authentication system1008 can compile a set of challenge workflows (e.g., 4 workflows) thatare not difficult to pass or satisfy because user 1506 is likely a humanuser (instead of a bot user). The set of challenge workflows can includeall possible challenge workflows from which a subset of challengeworkflows is selected for the authentication process. In some cases, theselection of the subset of challenge workflows can be based oninformation included in the request to access one or more access rightsstored in a data store transmitted by the user device. In the example ofFIG. 15, authentication system 1008 can select two challenge workflowsfrom the tailored set of challenge workflows for the authenticationprocess of user 1506.

User 1512 can be associated with desktop 1508 which is hardwired torouter 1510. User 1512's technology footprint can correspond to desktop1508. Authentication system 1008 can compile a set of challengeworkflows that are specifically tailored for user 1512's technologyfootprint. For example, authentication system 1008 can determine thatuser 1512 is likely to be a human, but could possibly be a hackerbecause user 1512 has a technology footprint similar to known hackers.Authentication system 1008 can compile a set of challenge workflows(e.g., 5 workflows) that have an average difficulty to pass or satisfybecause user 1506 could potentially be a hacker. The set of challengeworkflows can include all possible challenge workflows from which asubset of challenge workflows is selected for the authenticationprocess. In some cases, the selection of the subset of challengeworkflows can be based on information included in the requesttransmitted by the user device. In the example of FIG. 15,authentication system 1008 can select three challenge workflows from thetailored set of challenge workflows for the authentication process ofuser 1512. For example, authentication system 1008 may select achallenge workflow that requires user 1512 to submit a fingerprint scanto verify that user 1512 is authorized to access a particular userprofile. For example, user 1512 can be logged into a user's profile, andauthentication system 1008 can match fingerprint data included in theuser's profile with fingerprint data received from user 1512 to verifythat user 1512 is the actual owner of the user's profile.

User 1516 can be associated with server farm 1514. User 1512'stechnology footprint can correspond to server farm 1514. Authenticationsystem 1008 can compile a set of challenge workflows that arespecifically tailored for user 1516's technology footprint. For example,authentication system 1008 can determine that user 1516 is likely botuser because user 1516 is transmitting a request to access one or moreaccess rights stored in a data store from a server farm. Authenticationsystem 1008 can compile a set of challenge workflows (e.g., 10workflows) that have a high difficulty to pass or satisfy because user1516 is likely a bot user. The set of challenge workflows can includeall possible challenge workflows from which a subset of challengeworkflows is selected for the authentication process. In some cases, theselection of the subset of challenge workflows can be based oninformation included in the request transmitted by the user device. Inthe example of FIG. 15, authentication system 1008 can select sevenchallenge workflows from the tailored set of challenge workflows for theauthentication process of user 1516. For example, authentication system1008 may select a challenge workflow that requires user 1516 to submit afingerprint scan and a picture of user 1516's face to verify that user1516 is authorized to access a particular user profile. For example,user 1516 can be logged into a user's profile, and authentication system1008 can match fingerprint data and face image data included in theuser's profile with fingerprint data and face image data received fromuser 1516 to verify that user 1516 is the actual owner of the user'sprofile.

FIG. 16 is a flowchart illustrating process 1600 for multi-factorauthentication according to an embodiment. Process 1600 can be performedall, or in part, at a user device (e.g., user device 1002). Further,process 1600 can authenticate a user device by emailing a user'spersonal email address and requiring that the user select a link in theemail while using the user device.

At block 1605, a user can execute an application on a user device (e.g.,a smartphone). For example, a user can simply tap on a touchscreen ofthe user device to select an application. Further, the user can log intothe application using the user's log-in credentials. The user can viewassigned access rights while logged into the application.

At block 1610, a first device identification code (ID) can be determinedwhen the user logs into the application. For example, when the user logsinto the application, the application can determine a device ID of thedevice executing the application. It will be appreciated that the deviceID can be determined at other times. For example, a device ID can bedetermined initially when the user first registers for a profile.

At block 1615, a request to access a data store (e.g., to access one ormore access rights stored in the data store) can be transmitted by theuser device. For example, while logged into the application, the usercan view all or a portion of the assigned access rights. The user canselect an assigned access right and view additional informationassociated with that access right, request that the assigned accessright be reassigned to another user, or perform a print operationcorresponding to the assigned access right.

In some cases, the request may be transmitted along with otherinformation. For example, the request may be transmitted with a deviceID of the device transmitting the request. It will also be appreciatedthat the device ID can be determined and transmitted to theauthentication system in other ways.

At block 1620, the user device can receive an email at the user'spersonal email address. The authentication system can process the user'srequest, and prior to allowing the user to access the one or more accessrights, the authentication system can verify the identity of the user.As part of the authentication process, the authentication system cantransmit or cause to be transmitted an email to the user's personalemail address. The email can include a link. The link can extract orobtain a device ID of the device on which the link was selected. Thedevice ID can then be transmitted back to the authentication system forverification.

At block 1625, a user can open the received email and select the linkincluded in the email. At block 1630, selection of the link can causethe extraction of a second device ID. The second device ID can be adevice ID of the user device on which the link was selected. Forexample, if the user selects the link from a smartphone, the seconddevice ID can be the device ID of the smartphone. If the user selectsthe link from a smartwatch, the second device ID can be the device ID ofthe smartwatch. In some cases, when the user transmits the request froma smartphone, and later selects the link included in the email on atablet device, the authentication system can instruct the user to selectthe link from the device, which was used to transmit the request. Atblock 1635, the second device ID can be transmitted to theauthentication system.

At block 1640, the user device can receive a grant of the request toaccess a data store storing one or more access rights associated withthe user device. In some cases, when the first device ID matches thesecond device ID, then the authentication system can grant the user'srequest. In other cases, when the first device ID does not match thesecond device ID, then the user device can be provided with one or morewarnings to select the link from the device originating the request. Inother cases, the authentication process can be terminated if the firstdevice ID does not match the second device ID.

FIG. 17 is a flowchart illustrating process 1700 for scaling challengeworkflows according to an embodiment. All or a portion of process 1700can be performed at an authentication system (e.g., authenticationsystem 1008). Further, process 1700 can scale N-challenge workflows usedin the authentication process before granting the request to access thedata store. The scaling of the N-challenge workflows can includeselecting a different number of challenge workflows for differentdevices or different situations. Process 1700 can also be used todetermine the total set of challenge workflows from which a subset ofchallenge workflows is selected for the authentication process.

At block 1705, the authentication system can receive the first device IDand the request to access the data store. In some cases, the firstdevice ID can be retrieved from another location (e.g., another storageserver) and is not included with the request. In some cases, the firstdevice ID corresponds to the device ID of the user device whichoriginated the request. For example, if the user selects the “transfer”button on a smartphone, the first device ID can be the device ID of thesmartphone.

At block 1710, the authentication server determines the number N ofchallenge workflows to be included in the authentication process. Insome cases, a subset N of challenge workflows can be selected from atotal set M of challenge workflows, where N and M are integers, suchthat N<M. The total set M of challenge workflows can be determined basedon various factors and can be specifically tailored for a particularuser device. The subset N of selected challenge workflows can beselected based on information included in the request or can be selectedby default.

At block 1715, the authentication server can facilitate N challengespresented to the user according to the selected N challenge workflows.For example, if two challenge workflows are selected, then theauthentication system can facilitate two challenges to be presented tothe user. At block 1720, the authentication system can receive Nresponses from the user to the N challenges presented to the user. Forexample, one challenge may be to enter a code received at the userdevice via text message. A response received from the user can includethe code entered by the user operating the user device.

At block 1725, the authentication system can authenticate the received Nresponses. In some cases, the authentication system can determine thatthe original request to access the data store is granted only when all Nresponses received from the user are correct. In other cases, theauthentication system can determine that the request is granted when acertain threshold percentage of the N responses received from the userare correct. For example, the authentication system can determine orauthenticate a response to a challenge by comparing information receivedfrom the user with information stored in the authentication system. Theinformation received from the user can be caused to be sent by the user,and does not necessarily have to be knowingly or intentionallytransmitted by the user. For example, when the user selects a link in anemail received from the communication server, the device ID of the userdevice is automatically transmitted to the authentication server withoutfurther action from the user. If the N responses are not authenticated(e.g., when the user fails the challenges), the process can end here andthe request can be denied. In some cases, the authentication system canprovide additional challenges when the user fails the first subset ofchallenges in the authentication process.

At block 1730, the authentication system can grant the request. In somecases, once the user device is verified or authenticated, the user maynot have to re-authorize his or her user device for subsequent requeststo access the data store. In other cases, for example, the user may haveto re-authorize his or her user devices periodically, randomly, or ateach request to access the data store. When the request to access thedata store is granted, the user may be directed to an application pageor website that can facilitate the transfer or sale of the resources.

Specific details are given in the above description to provide athorough understanding of the embodiments. However, it is understoodthat the embodiments can be practiced without these specific details.For example, circuits can be shown in block diagrams in order not toobscure the embodiments in unnecessary detail. In other instances,well-known circuits, processes, algorithms, structures, and techniquescan be shown without unnecessary detail in order to avoid obscuring theembodiments.

Implementation of the techniques, blocks, steps and means describedabove can be done in various ways. For example, these techniques,blocks, steps and means can be implemented in hardware, software, or acombination thereof. For a hardware implementation, the processing unitscan be implemented within one or more application specific integratedcircuits (ASICs), digital signal processors (DSPs), digital signalprocessing devices (DSPDs), programmable logic devices (PLDs), fieldprogrammable gate arrays (FPGAs), processors, controllers,micro-controllers, microprocessors, other electronic units designed toperform the functions described above, and/or a combination thereof.

Also, it is noted that the embodiments can be described as a processwhich is depicted as a flowchart, a flow diagram, a data flow diagram, astructure diagram, or a block diagram. Although a flowchart can describethe operations as a sequential process, many of the operations can beperformed in parallel or concurrently. In addition, the order of theoperations can be re-arranged. A process is terminated when itsoperations are completed, but could have additional steps not includedin the figure. A process can correspond to a method, a function, aprocedure, a subroutine, a subprogram, etc. When a process correspondsto a function, its termination corresponds to a return of the functionto the calling function or the main function.

Furthermore, embodiments can be implemented by hardware, software,scripting languages, firmware, middleware, microcode, hardwaredescription languages, and/or any combination thereof. When implementedin software, firmware, middleware, scripting language, and/or microcode,the program code or code segments to perform the necessary tasks can bestored in a machine readable medium such as a storage medium. A codesegment or machine-executable instruction can represent a procedure, afunction, a subprogram, a program, a routine, a subroutine, a module, asoftware package, a script, a class, or any combination of instructions,data structures, and/or program statements. A code segment can becoupled to another code segment or a hardware circuit by passing and/orreceiving information, data, arguments, parameters, and/or memorycontents. Information, arguments, parameters, data, etc. can be passed,forwarded, or transmitted via any suitable means including memorysharing, message passing, ticket passing, network transmission, etc.

For a firmware and/or software implementation, the methodologies can beimplemented with modules (e.g., procedures, functions, and so on) thatperform the functions described herein. Any machine-readable mediumtangibly embodying instructions can be used in implementing themethodologies described herein. For example, software codes can bestored in a memory. Memory can be implemented within the processor orexternal to the processor. As used herein the term “memory” refers toany type of long term, short term, volatile, nonvolatile, or otherstorage medium and is not to be limited to any particular type of memoryor number of memories, or type of media upon which memory is stored.

Moreover, as disclosed herein, the term “storage medium”, “storage” or“memory” can represent one or more memories for storing data, includingread only memory (ROM), random access memory (RAM), magnetic RAM, corememory, magnetic disk storage mediums, optical storage mediums, flashmemory devices and/or other machine readable mediums for storinginformation. The term “machine-readable medium” includes, but is notlimited to portable or fixed storage devices, optical storage devices,wireless channels, and/or various other storage mediums capable ofstoring that contain or carry instruction(s) and/or data.

While the principles of the disclosure have been described above inconnection with specific apparatuses and methods, it is to be clearlyunderstood that this description is made only by way of example and notas limitation on the scope of the disclosure.

What is claimed is:
 1. A system for scalable authentication of access toresource data using challenge workflows, the system comprising: aresource data store that stores resource data corresponding to aplurality of access rights to a resource, each of the plurality ofaccess rights being indicative of access to the resource during adefined time period; and an authentication system, including one or moreprocessor devices, that: receives a first communication from a userdevice, the first communication corresponding to a request for access toone or more access rights assigned to the user device, and the one ormore access rights being included in the plurality of access rightsstored in the resource data store; extracts a device identifier of theuser device from the first communication, the device identifiercharacterizing an attribute of the user device; accesses a set ofchallenge workflows, each challenge workflow of the set of challengeworkflows being a process that is executed to authenticate user devicesrequesting access to the resource data store; generates a parameter foreach challenge workflow of the set of challenge workflows, thegeneration of the parameter for each challenge workflow being based onthe device identifier of the user device; selects a subset of challengeworkflows from the set of challenge workflows, the selection of thesubset being performed using a comparison of each parameter and athreshold condition, wherein selecting the subset includes: determining,for each challenge workflow of the set of challenge workflows, whetherthe parameter associated with the challenge workflow satisfies thethreshold condition, the threshold condition corresponding to a value,and for each parameter that satisfies the threshold condition, includingthe associated challenge workflow in the subset of challenge workflows;executes each challenge workflow of the subset of challenge workflows,the execution of a challenge workflow from the subset includingperforming an authentication test to be satisfied before access to theone or more access rights is granted; receives one or more secondcommunications, each of the one or more second communicationscorresponding to a response to an authentication test associated withexecution of a challenge workflow; determines, for each challengeworkflow of the subset of challenge workflows, whether the correspondingsecond communication satisfies the associated authentication test; andestablishes a communication link between the user device and theresource data store to grant access to the one or more access rightswhen the corresponding authentication test for each challenge workflowof the subset of challenge workflows is satisfied.
 2. The system forscalable authentication of access to resource data using challengeworkflows, as recited in claim 1, wherein executing each challengeworkflow of the subset of challenge workflows further comprises:transmitting a communication trigger that initiates transmission of athird communication to the user device using a communication channel,and the third communication including a selectable interactive element;receiving a fourth communication including an additional deviceidentifier identifying an electronic device on which the selectableinteractive element was selected, the selection of the selectableinteractive element causing the fourth communication to be transmitted;comparing the device identifier and the additional device identifier;and establishing the communication link between the user device and theresource data store to facilitate access to the one or more accessrights when the device identifier corresponds to the additional deviceidentifier.
 3. The system for scalable authentication of access toresource data using challenge workflows, as recited in claim 1, whereinthe request includes the device identifier, and wherein the deviceidentifier includes data representing a type of computing device of theuser device.
 4. The system for scalable authentication of access toresource data using challenge workflows, as recited in claim 1, whereinwhen the device identifier identifies that the user device is a mobilecomputing device, the subset of challenge workflows selected is smallerthan when the device identifier identifies that the user device is aserver.
 5. The system for scalable authentication of access to resourcedata using challenge workflows, as recited in claim 1, whereinestablishing the communication link between the user device and theresource data store further comprises: authorizing the user device tointeract with the one or more access rights assigned to the user deviceand stored in the resource data store, wherein interacting with the oneor more access rights includes initiating a request to reassign the oneor more access rights to another user or initiating a printing operationcorresponding to the one or more access rights.
 6. The system forscalable authentication of access to resource data using challengeworkflows, as recited in claim 1, wherein the authentication systemfurther: determines whether or not to initiate an authenticationprocess, the determination of whether or not to initiate theauthentication process being based on information included in the firstcommunication, and the authentication process corresponding to executionof one or more challenge workflows, wherein: when the determination isnot to initiate the authentication process, the user device is grantedaccess to the one or more access rights without execution of a challengeworkflow, and when the determination is to initiate the authenticationprocess, each of the subset of challenge workflows are executed.
 7. Acomputer-implemented method for scalable authentication of access toresource data using challenge workflows, comprising: receiving a firstcommunication from a user device, the first communication correspondingto a request for access to one or more access rights assigned to theuser device, and the one or more access rights being included in aplurality of access rights stored in a resource data store; extracting adevice identifier of the user device from the first communication, thedevice identifier characterizing an attribute of the user device;accessing a set of challenge workflows, each challenge workflow of theset of challenge workflows being a process that is performed toauthenticate user devices requesting access to the resource data store;generating a parameter for each challenge workflow of the set ofchallenge workflows, the generation of the parameter for each challengeworkflow being based on the device identifier of the user device;selecting a subset of challenge workflows from the set of challengeworkflows, the selection of the subset being performed using acomparison of each parameter and a threshold condition, whereinselecting the subset includes: determining, for each challenge workflowof the set of challenge workflows, whether the parameter associated withthe challenge workflow satisfies the threshold condition, the thresholdcondition corresponding to a value, and for each parameter thatsatisfies the threshold condition, including the associated challengeworkflow in the subset of challenge workflows: executing each challengeworkflow of the subset of challenge workflows, the execution of achallenge workflow from the subset including performing anauthentication test to be satisfied before access to the one or moreaccess rights is granted; receiving one or more second communications,each of the one or more second communications corresponding to aresponse to an authentication test associated with execution of achallenge workflow; determining, for each challenge workflow of thesubset of challenge workflows, whether the corresponding secondcommunication satisfies the associated authentication test; andestablishing a communication link between the user device and theresource data store to grant access to the one or more access rightswhen the corresponding authentication test for each challenge workflowof the subset of challenge workflows is satisfied.
 8. Thecomputer-implemented method for scalable authentication of access toresource data using challenge workflows, as recited in claim 7, whereinexecuting each challenge workflow of the subset of challenge workflowsfurther comprises: transmitting a communication trigger that initiatestransmission of a third communication to the user device using acommunication channel, and the third communication including aselectable interactive element; receiving a fourth communicationincluding an additional device identifier identifying an electronicdevice on which the selectable interactive element was selected, theselection of the selectable interactive element causing the fourthcommunication to be transmitted; comparing the device identifier and theadditional device identifier; and establishing the communication linkbetween the user device and the resource data store to facilitate accessto the one or more access rights when the device identifier correspondsto the additional device identifier.
 9. The computer-implemented methodfor scalable authentication of access to resource data using challengeworkflows, as recited in claim 7, wherein the request includes thedevice identifier, and wherein the device identifier includes datarepresenting a type of computing device of the user device.
 10. Thecomputer-implemented method for scalable authentication of access toresource data using challenge workflows, as recited in claim 7, whereinwhen the device identifier identifies that the user device is a mobilecomputing device, the subset of challenge workflows selected is smallerthan when the device identifier identifies that the user device is aserver.
 11. The computer-implemented method for scalable authenticationof access to resource data using challenge workflows, as recited inclaim 7, wherein establishing the communication link between the userdevice and the resource data store further comprises: authorizing theuser device to interact with the one or more access rights assigned tothe user device and stored in the resource data store, whereininteracting with the one or more access rights includes initiating arequest to reassign the one or more access rights to another user orinitiating a printing operation corresponding to the one or more accessrights.
 12. The computer-implemented method for scalable authenticationof access to resource data using challenge workflows, as recited inclaim 7, further comprising: determining whether or not to initiate anauthentication process, the determination of whether or not to initiatethe authentication process being based on information included in thefirst communication, and the authentication process corresponding toexecution of one or more challenge workflows, wherein: when thedetermination is not to initiate the authentication process, the userdevice is granted access to the one or more access rights withoutexecution of a challenge workflow, and when the determination is toinitiate the authentication process, each of the subset of challengeworkflows are executed.
 13. A computer-program product stored in anon-transitory machine-readable storage medium, including instructionsconfigured to cause a data processing apparatus to perform operationsincluding: receiving a first communication from a user device, the firstcommunication corresponding to a request for access to one or moreaccess rights assigned to the user device, and the one or more accessrights being included in a plurality of access rights stored in aresource data store; extracting a device identifier of the user devicefrom the first communication, the device identifier characterizing anattribute of the user device; accessing a set of challenge workflows,each challenge workflow of the set of challenge workflows being aprocess that is performed to authenticate user devices requesting accessto the resource data store; generating a parameter for each challengeworkflow of the set of challenge workflows, the generation of theparameter for each challenge workflow being based on the deviceidentifier of the user device; selecting a subset of challenge workflowsfrom the set of challenge workflows, the selection of the subset beingperformed using a comparison of each parameter and a thresholdcondition, wherein selecting the subset includes: determining, for eachchallenge workflow of the set of challenge workflows, whether theparameter associated with the challenge workflow satisfies the thresholdcondition, the threshold condition corresponding to a value, and foreach parameter that satisfies the threshold condition, including theassociated challenge workflow in the subset of challenge workflows;executing each challenge workflow of the subset of challenge workflows,the execution of a challenge workflow from the subset includingperforming an authentication test to be satisfied before access to theone or more access rights is granted; receiving one or more secondcommunications, each of the one or more second communicationscorresponding to a response to an authentication test associated withexecution of a challenge workflow; determining, for each challengeworkflow of the subset of challenge workflows, whether the correspondingsecond communication satisfies the associated authentication test; andestablishing a communication link between the user device and theresource data store to grant access to the one or more access rightswhen the corresponding authentication test for each challenge workflowof the subset of challenge workflows is satisfied.
 14. Thecomputer-program product, as recited in claim 13, wherein executing eachchallenge workflow of the subset of challenge workflows furthercomprises: transmitting a communication trigger that initiatestransmission of a third communication to the user device using acommunication channel, and the third communication including aselectable interactive element; receiving a fourth communicationincluding an additional device identifier identifying an electronicdevice on which the selectable interactive element was selected, theselection of the selectable interactive element causing the fourthcommunication to be transmitted; comparing the device identifier and theadditional device identifier; and establishing the communication linkbetween the user device and the resource data store to facilitate accessto the one or more access rights when the device identifier correspondsto the additional device identifier.
 15. The computer-program product,as recited in claim 13, wherein the request includes the deviceidentifier, and wherein the device identifier includes data representinga type of computing device of the user device.
 16. The computer-programproduct, as recited in claim 13, wherein when the device identifieridentifies that the user device is a mobile computing device, the subsetof challenge workflows selected is smaller than when the deviceidentifier identifies that the user device is a server.
 17. Thecomputer-program product, as recited in claim 13, wherein establishingthe communication link between the user device and the resource datastore further comprises: authorizing the user device to interact withthe one or more access rights assigned to the user device and stored inthe resource data store, wherein interacting with the one or more accessrights includes initiating a request to reassign the one or more accessrights to another user or initiating a printing operation correspondingto the one or more access rights.